How to Manually Update the Secure SD-WAN Engine Antimalware Database

How to Manually Update the Secure SD-WAN Engine Antimalware Database

Summary
This article provides instructions for manually updating the FlexEdge Secure SD-WAN Engine (previously NGFW) anti-malware definitions
Notes and Warnings
Note Due to known issue NGFW-33868, avdbfetch does not find the update file placed under the /tmp folder, when updating to the antivirus database file 10000 or later. This issue has been fixed in NGFW 6.8.6 and 6.10.2 versions. The workaround for the earlier NGFW versions is to define the path to the update file using the  --dbzip= option:

# avdbfetch --help
Usage: avdbfetch [OPTIONS]

OPTIONS:
 -h, --help : Prints this message.
 --dbzip=<db.zip_file_path> : Sets the path and name of the database
                              signature zip file to be imported.

IMPORTANT NOTES:
  This script is used to deploy a database signature zip that's stored
  in local file system. This script doesn't download the databases.

  Unless --dbzip is used the script checks by default the /tmp directory
    for a file with a "avv-????.zip" name pattern to use as the
    database signature. If found no download takes place.
  After use the zip file (downloaded, given or found) is deleted.

For example:

# avdbfetch --dbzip=/tmp/avvdat-10004.zip
Problem

The Secure SD-WAN Engine (previously NGFW) cannot reach the update site https://downloadcenter.trellix.com/products/commonupdater. I want to update the anti-virus database manually. Anti-virus status displays errors and a manual update is required.

In the SMC appliance Status view, the Secure SD-WAN Engine Anti-Malware status is shown as red and the database update status is in an error state. There is a valid anti-virus license installed.

To verify the issue, run sg-hwstat -s "Anti-Malware" from the engine command line interface.

An example of the error:

status = error
Database Version
status = ok
infostring = 7579
Last Update
status = ok
infostring = 2014-11-10 17:10:16
Database Update Status
status = error
infostring = Error
Solution

Confirm the firewall can reach https://downloadcenter.trellix.com/products/commonupdater

  1. Log on to the Secure SD-WAN Engine.
  2. Type busybox nslookup downloadcenter.trellix.com and press Enter.
  3. Ping the IP address listed in the command output.
  4. If the ping fails, verify that your firewall has a default route and policy allows connection to the update site via HTTP and HTTPS from the firewall local NDI interface.
    1. This is allowed by default template policy.
  5. Ensure the firewall has Internet access. If your link to ISP is broken or if the Engine is deployed in an environment with no internet access, then the firewall will not be able to update the anti-virus database automatically.

If the firewall policy allows a connection to the update site but the issue still persists:

  1. Go to the antivirus database update archive https://downloadcenter.trellix.com/products/commonupdater .
  2. Click avv-*.zip to download the latest file manually.
  3. On the firewall, move the zip file to /tmp/.
  4. From the terminal command line, type avdbfetch and press Enter.
  5. The avdbfetch command will find the zip file in the /tmp/ directory automatically.
  6. After avdbfetch has finished wait for 30 - 60 seconds to make sure the AV database has been properly updated, and then type sg-hwstat -s "Anti-Malware" and press Enter.
  7. You see the following output:
root@NGFW4:~# sg-hwstat -s "Anti-Malware"

Anti-Malware:
=============
status = ok
Database Version
        status = ok
        infostring = 10539
Last Update
        status = ok
        infostring = 2022-11-22 08:56:23

Library Version
        status = ok
        infostring = 6400.9594
Database Update Status
        status = ok
        infostring = Ready

overall status  ok


This indicates that the database has been updated.

Note The avdbfetch command can also be used to fetch an anti-virus database from external source. However configuring automatic download either directly or through proxy is recommended. See the command options by running avdbfetch -h.

    • Related Articles

    • FlexEdge Secure SD-WAN Documentation

      Summary Links for FlexEdge Secure SD-WAN guides Solution The links to documentation in this article apply to FlexEdge Secure SD-WAN for versions currently supported. Note For documentation on Forcepoint Next Generation Firewall, see Next Generation ...

    • How to Locate Secure SD-WAN Engine and SMC License Details in the Forcepoint Customer Hub

      Summary The article provides steps how to locate FlexEdge Secure SD-WAN (previously NGFW) license details via the Forcepoint Customer Hub. Notes and Warnings Note After April 11th 2022, newly purchased Secure SD-WAN and NGFW Appliances will be ...

    • Log Database Cleanup (Web and Email)

      In order to resolve the issue for Web and Email products, follow the steps below. Log on to the Forcepoint Security Manager (formerly Triton). Click Settings > Reporting > Log Database. Scroll down to the particular partitions you want to Delete or ...

    • Determining the SQL Database Location for Forcepoint Components

      Summary Describes options for finding the SQL server connection details from the Forcepoint Management Server. Problem While troubleshooting an issue, Technical Support may request to investigate the SQL database of a Forcepoint product. If the ...

    • OSPF Routes Missing after Master Engine Cluster Node Reboot

      Summary OSPF routes from Virtual Engines might be missing after Master Engine Cluster node reboot when one of VEs is central OSPF router to whom other VEs talk to. Notes and Warnings Note Quagga is used for dynamic routing operations in NGFW version ...