Symantec and Clam AV Subscription issues
search cancel

Symantec and Clam AV Subscription issues

book

Article ID: 260358

calendar_today

Updated On:

Products

ISG Content Analysis

Issue/Introduction

We are facing issues in downloading Symantec and Clam Av updates in CAS.

There is an IPS present in the environment and CAS is going through proxy.

We already allowed Broadcom and bluecoat domain and URLs in proxy.

Environment

Release : 3.1.5.0

Resolution

Note: Ensure to turn on the PCAP on the Proxy, with the filter set to the IP address of the CAS appliance. Also turn on PCAP on the CAS appliance, from CLI, using the #pcap start command.

For the clam AV issue reported, It is possible that the DNS server was temporarily down or some other network problem interfered with the virus update. Try forcing the update by selecting Services> AV Patterns and clicking Force Update All Now.

Each antivirus vendor provides pattern file updates that necessarily contain portions (or descriptions) of viruses. Generally, these virus segments are encoded and are too small to be mistaken as a true virus by other AV vendors. But occasional false positives occur. These can be prevented by exempting virus pattern update locations from scanning, as the following example policy illustrates (place this policy after all other ICAP policies on the ProxySG):

<cache> 
url.host=download.bluecoat.com response.icap_service(no) url.host=av-download.bluecoat.com response.icap_service(no)

If you have an Enterprise license, the Symantec AV is enabled by default. (config)# services clam mirror url url Specify the URL of the mirror where you have installed ClamAV virus database pattern files. (config)# services clam mirror use-proxy true | false If a networking proxy is specified in Proxy-Settings, use the proxy to access the mirror. Also, please, ensure the activate clam AV from CLI. Please, see the snippet below, for further guidance.


Again, try forcing the update by selecting Services> AV Patterns and clicking Force Update All Now.

Do this a few times and stop the PCAP from the ProxySG and from the CLI, on the CAS appliance.

For the PCAP collected from the CLI, you may transfer the PCAP to an FTP server, following the guidance in the pcap tech docs


We expect that implementing the above would ensure the CAS appliance is ready to update the clam AV update and should update the AV pattern and engine. Should this not happen, please ensure to collect both PCAP files, from the Proxy and from the CAS (CLI) and share the same on a support ticket and further investigation would be done.

Powered by Wolken Software