Virus Update Server
Download antivirus updates for your workstations (FreeBSD 5.2)
Posted 29.08.2005 | Updated 23.05.2006 | Contributed by Andy Mallett


So the Automated FTP is happening, which pulls the images down to the Samba share. The next part is to make the virus update file available to the workstations.

1. McAfee to Flash

The FTP directory at Network Associates contains a number of files and I've narrowed it down to the SuperDAT file as being the one we need.

It will update the core engine if required, as well as the virus signatures. The file always starts with the sdat prefix, so I modified the FTP script thus:

cd /shares/vupdate
rm *.exe
wget -r -nc --passive-ftp --no-directories
ftp://ftp.nai.com./pub/antivirus/superdat/intel/sdat*.exe

exit 0

Note that lines 3 & 4 are all actually on the same line in the script.

So now the script deletes any previous update file and only downloads the SuperDAT. The next bit gets a bit Windowsy but it's worth mentioning in the context of Unix/Windows interfacing.

Due to restrictions imposed by the current imaging process, the student workstations are not running NetBIOS over TCP/IP. This means they will not be able to access the Samba share on Flash Server. I could publish the Samba shares in DNS, but I'm not sure if I would have to / want to install Services for Unix at this time. M'mann Ben "Microsoft" Donaldson is currently looking into this as an option. So for now, the virus updates will live in a share on Banshee Server, Goth's co-Domain Controller.

2. Flash to Banshee

Flash Server's crontab service is pulling new updates down every morning at 0200hrs. Banshee Server is able to access the Samba share on Flash as Banshee is running NetBIOS over TCP/IP, as well as being in the IT.NET Domain DNS loop. So I've written a batch file which will pull the virus signatures over to Banshee.. 

@ECHO OFF
D:
CD\SHARES\VUPDATE
DEL *.*
NET USE V: \\FLASH.IT.NET\VUPDATE /USER:student hello
COPY V:\*.EXE
REN SDAT*.EXE VUPDATE.EXE
NET USE V: /DELETE


Banshee deletes all previous .EXEs in the \VUPDATE directory, maps to Flash, grabs the latest vupdate, renames it to VUPDATE.EXE for the workstations and finally kills the share mapping. The current SDAT4568.EXE stands at 7MB in size and the above transfer between servers takes about 2 seconds. Splendid!

To make this happen at the required time of 3am every morning, I run the AT command on Banshee, which is the Microsoft equivalent to Unix's crontab. 

AT 03:00 /EVERY:M,T,W,TH,F VUPDATE.BAT

Status ID   Day                     Time          Command Line
----------------------------------------------------------------------
        1   Each M T W Th F         3:00 AM       D:\PROGS\VUPDATE.BAT


3. Banshee to IT.NET

The final task is to get the virus updates down to the workstations. Each machine running McAfee antivirus has the following VUPDATE.BAT batch file in the C:\Windows\System32 directory.. 

@ECHO OFF
NET USE V: \\BANSHEE.IT.NET\VUPDATE
V:\VUPDATE.EXE /silent /prompt /logfile c:\vupdate.txt
NET USE V: /DELETE
EXIT


The workstation maps a drive to Banshee's VUPDATE share, runs the VUPDATE.EXE and then kills the share. The silent switch removes any interruption to the user and the batch file closes after execution. A log is placed in the root of C: for reference.

Each classroom will update at different times of the day, to help with bandwidth management. The updates are scheduled once again, using XP's AT command.. 

C:\>AT 10:00 /EVERY:M,T,W,TH,F C:\WINDOWS\SYSTEM32\VUPDATE.BAT
Added a new job with job ID = 1

C:\>at
Status ID  Day               Time      Command Line
----------------------------------------------------------------------
       1   Each M T W Th F   10:00 AM  C:\WINDOWS\SYSTEM32\VUPDATE.BAT


And that's it. The system is currently handing out antivirus updates to over 100 workstations on my network. At a current size of 7MB, that's a saving of 63MB a day, compared to if I left each workstation to do it. Kewl..