This topic tells you how to update virus definitions on an Anti-Virus for VMware Tanzu mirror that is deployed by the Anti-Virus Mirror for VMware Tanzu tile.

The Anti-Virus Mirror for VMware Tanzu tile and the Anti-Virus for VMware Tanzu tile work together as follows:

  • The Anti-Virus for VMware Tanzu tile runs Anti-Virus on all BOSH VMs by adding it to the BOSH runtime config.
  • The Anti-Virus Mirror for VMware Tanzu tile creates an internal mirror that is used by the ClamAV components running on BOSH VMs.


The ClamAV community regularly updates virus definitions and publishes them to an external ClamAV database.

How these updated virus definitions propagate to the internal Anti-Virus Mirror that BOSH VMs use depends on whether your environment is running in an online or air-gapped network:

  • Online Network: The Anti-Virus Mirror updates its virus definitions automatically.
  • Air-gapped Network: An operator must manually download new virus definitions and run bosh scp to update them on the internal Anti-Virus mirror.

For more information and diagrams about this architecture, see How Virus Definitions Propagate to VMs.

The following sections describe both of these scenarios and explain how to manually update virus definitions on the internal Anti-Virus mirror.

Verify That Your Virus Definitions Are Up to Date

To confirm that virus definitions are up to date on a given VM:

  1. BOSH SSH on to the VM.
  2. View the go-clam-tls logs located at /var/vcap/sys/log/antivirus/go-clam-tls.log. For more information, see go-clam-tls Log Messages.

Automatic Updates with Online Networks

When your environment runs on an online network, the Anti-Virus Mirror VM regularly checks the external ClamAV database every two hours.

When new virus definitions are present on the external database, Anti-Virus Mirror downloads them automatically.

Manually Update on an Air-gapped Network

Anti-Virus jobs use three virus definitions files, main.cvd, daily.cvd, and bytecode.cvd. The internal Anti-Virus Mirror serves these three files to all Anti-Virus jobs in your environment.

To update the virus definitions:

  1. Download the three virus definition files from the ClamAV virus database mirror or an equivalent external mirror. You can access the ClamAV mirror at the following URLs:


    If you are unable to download the virus definitions from one of the links above, use the cvdupdate tool. For information about cvdupdate, see the ClamAV documentation.

  2. Copy your downloaded virus definition files to your Ops Manager VM.


    For example:

    $ scp -i ~/.ssh/my-key.pem ~/Downloads/main.cvd ~/Downloads/daily.cvd ~/Downloads/bytecode.cvd ubuntu@ 
  3. SSH into the Ops Manager VM. For instructions, see Log in to the Ops Manager VM with SSH in the Ops Manager documentation.

  4. Find the name of your Anti-Virus Mirror deployment by running:

    bosh -e BOSH-ENVIRONMENT deployments | grep p-antivirus-mirror | cut -f1

    For example:

    $ bosh -e my-env deployments | grep p-antivirus-mirror | cut -f1

    The deployment name starts with p-antivirus-mirror- and is followed by a string of characters. For example:

    $ p-antivirus-mirror-08815ca5ead252c4b8d8
  5. Copy the virus definitions to your internal Anti-Virus Mirror by running:

    bosh -e BOSH-ENVIRONMENT -d ANTIVIRUS-DEPLOYMENT-NAME scp /path/to/local/main.cvd /path/to/local/daily.cvd /path/to/local/bytecode.cvd :/var/vcap/data/antivirus-mirror/unvalidated

    For example:

    $ bosh -e my-env -d p-antivirus-mirror-4cb8cfbeee717258d72e scp main.cvd daily.cvd bytecode.cvd :/var/vcap/data/antivirus-mirror/unvalidated

    Note If the CVD files being uploaded are too big, clamd might start consuming them before the upload has finished. If this happens, you might receive log messages saying one of the CVD files could not be loaded. To workaround this issue, you can upload the CVD files to a temporary folder on the VM first, and after the upload is finished, move the files to /var/vcap/data/antivirus-mirror/unvalidated.

  6. Verify that the mirror validated and updated its local copies of the virus definitions by running:

    bosh -e BOSH-ENVIRONMENT -d ANTIVIRUS-DEPLOYMENT-NAME ssh -c "sudo cat FILE | grep \"updated /var/vcap/store\""

    Where FILE is determined by the output destination configured in Anti-Virus Mirror Configuration of the Anti-Virus Mirror for VMware Tanzu tile. Use one of the following:

    • /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stdout.log for stdout
    • /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stderr.log for stderr
    • /var/log/syslog for syslog

    For example:

    $ bosh -e my-env -d p-antivirus-mirror-4cb8cfbeee717258d72e ssh -c "sudo cat /var/log/syslog | grep \"updated /var/vcap/store\""
    2019/05/30 17:16:34 updated /var/vcap/store/antivirus-mirror/validated/bytecode.cvd
    2019/05/30 17:16:40 updated /var/vcap/store/antivirus-mirror/validated/daily.cvd
    2019/05/30 17:16:49 updated /var/vcap/store/antivirus-mirror/validated/main.cvd
check-circle-line exclamation-circle-line close-line
Scroll to top icon