2.2.3. Update presentation

Threat-DB updates apply to GCenter and GCap.
There are several types of update packages:

  • beacon package: this package contains beacon update

  • cti package: this package contains update of the database of Indicators Of Compromise

  • dga package: this package contains update to the DGA detect engine

  • sigflow package: this package contains only Sigflow engine and rules base updates

  • malcore directory: this directory contains the updates ofMalcore engines and their antivirus databases

  • full package (full): this package is the sum of the previous packages

Note

The malcore directory contains:

  • One package for each antivirus engine named after the hash of the engine to which it relates, same hash as what is presented in malcore healthcheck

  • A package of utilities named "common_utilities.gwp"

These packages can be installed as follows:

2.2.3.1. Manual Update

The manual update is suitable for isolated environments.
The administrator must first manually download the update packages to an administration workstation and then upload them to the GCenter via the web interface.

Note

The cti.gwp package is updated hourly on update.gatewatcher.com
The other packages are updated daily.

Note

If network has no limited bandwidth, the easiest way is to load the full.gwp file to update everything in a single operation
In this case, the GUI to be used is described in `Threat DB update` screen.
For manual installation, see the Installing an update manually procedure.

2.2.3.2. Automatic update

They can be carried out in different ways according to the needs of the information system:

  • Online update: packages are downloaded directly from GATEWATCHER websites

  • Local update: packages are downloaded from a local repository

This schedule has be configured.
In this case, the GUI to be used is described in `Threat DB update` screen.
For planning implementation, see the Configuring automatic update of signatures and/or anti-viral engines procedure.

2.2.3.2.1. Online update

The Online update automates updates and reduces administration tasks.
The Online update is done automatically from https://update.gatewatcher.com/ and https://gupdate.gatewatcher.com.

Note

In the case of scheduled Online mode, the schedule only applies to the Sigflow engine.
Engine updates Malcore are performed every 24 hours.

2.2.3.2.2. Local update

In order to meet specific security constraints, the GCenter can load its updates from a local repository previously configured to receive packets.
The steps for setting up a local repository are as follows:

  • Prerequisites: a listening web server on port 80

  • Create the following tree structure: "2.5.3.10X/GCenter" according to the GCenter version (2.5.3.103).
    In the following configuration example, this tree should be created at the root of the server.

  • Retrieve gwp files for the 2.5.3.103 (beacon.gwp, cti.gwp, dga.gwp, all packages of the malcore folder, sigflow.gwp) on https://update.gatewatcher.com/update/

  • In "2.5.3.10X/GCenter", put the previously recovered gwp files

  • In "2.5.3.10X/GCenter", put the files . sha256 corresponding to the files above

Note

The cti.gwp package is updated hourly on update.gatewatcher.com
The other packages are updated every day.
It is possible to download the full.gwp file in automatic mode by using the option "use one .gwp file instead of split" in threat DB update configuration.

Note

In case of limited bandwidth, the exact required package list coherent with the license is available in threat-DB update configuration, with the `show requirements` button.

Note

Before a version upgrade, it is strongly recommended to update the local repository tree by adding a folder with the name of the new version.
If this is not the case, the equipment will no longer be able to update and this will cause errors during automatic updates.