Upgrading Anti-Virus

This topic describes how to upgrade Anti-Virus for VMware Tanzu (formerly known as ClamAV Add-on for PCF).

For product versions and upgrade paths, see Upgrade Planner.

Compatibility and Prerequisites

See the following topics to ensure you have the required component versions and prerequisites:

Upgrade Considerations for Anti-Virus for VMware Tanzu

The upgrade instructions vary depending on the version of Anti-Virus you are currently using. See the table below for the new features to consider and the upgrade instructions to use.

If you are currently on…	When upgrading to v2.3…
v1.x	Uninstall ClamAV Add-on for PCF v1.x and install Anti-Virus v2.x tile. For upgrade instructions, see Replace Pivotal Anti-Virus v1.x with Anti-Virus for VMware Tanzu v2.x below.
v2.0	Decide whether to use Anti-Virus Mirror or an existing mirror. Anti-Virus now supports existing mirrors with TLS. For more information, see Using an Existing Mirror below. If required, configure the mirror port. For more information see Configuring the Mirror Port below. You can set Timeout to connect to the database server (in seconds). VMware recommends that you reset the value of CPU limit (Percentage). You must ensure that all VMs you install Anti-Virus on have at least 2 GB free RAM and 2 CPU. On Google Cloud Platform (GCP), the recommended minimum VM size is `micro.cpu`. You must set the field memory limit (in bytes) to at least `1610612736`. For upgrade instructions, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.0 below.
v2.1	You can set Timeout to connect to the database server (in seconds). VMware recommends that you reset the value of CPU limit (Percentage). You must ensure that all VMs you install Anti-Virus on have at least 2 GB free RAM and 2 CPU. On Google Cloud Platform (GCP), the recommended minimum VM size is `micro.cpu`. You must set the field memory limit (in bytes) to at least `1610612736`. For upgrade instructions, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.1 or Later below.
v2.2	You must ensure that all VMs you install Anti-Virus on have at least 2 GB free RAM and 2 CPU. On Google Cloud Platform (GCP), the recommended minimum VM size is `micro.cpu`. You must set the field memory limit (in bytes) to at least `1610612736`. For upgrade instructions, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.1 or Later below.

Replace Pivotal Anti-Virus v1.x with Anti-Virus for VMware Tanzu v2.x

To uninstall Pivotal Anti-Virus v1.x and install Anti-Virus for VMware Tanzu v2.x in its place:

Retrieve the latest runtime config YML by running:
```
bosh -e ENVIRONMENT runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG
```
Where:
- ENVIRONMENT is your environment
- PATH-TO-SAVE-THE-RUNTIME-CONFIG is the location where you want to save the runtime configuration.
For example:
```
 $ bosh -e my-env runtime-config > /runtime/config/ 
```
In the runtime config YML, remove all ClamAV properties under the releases: and addons: sections.

Update the runtime config:

ENVIRONMENT=<insert variable here>
PATH-TO-SAVE-THE-RUNTIME-CONFIG=<insert variable here>
bosh -e $ENVIRONMENT update-runtime-config --name=clamav ${PATH-TO-SAVE-THE-RUNTIME-CONFIG}

Where:

ENVIRONMENT is your environment
PATH-TO-SAVE-THE-RUNTIME-CONFIG is the location of the runtime configuration you are updating.

For example:

 $ bosh -e my-env update-runtime-config –name=clamav /runtime/config/

Follow the instructions in Installing and Configuring Anti-Virus for VMware Tanzu to set up the Anti-Virus for VMware Tanzu tile.

Upgrade Anti-Virus for VMware Tanzu to This Version from v2.0

Additional configurations might be required when upgrading from v2.0.x. This is because of the following features introduced in Anti-Virus v2.1:

Support for existing mirrors with Transport Layer Security (TLS). For more information, see Using an Existing Mirror below.
Ability to configure the Mirror Port used by Anti-Virus. For more information see Configuring the Mirror Port below.

To upgrade Anti-Virus for VMware Tanzu to v2.3 from v2.0, you must:

Update Anti-Virus for VMware Tanzu
Complete Configuring Anti-Virus for VMware Tanzu and Apply Changes

Update Anti-Virus for VMware Tanzu

To update Anti-Virus for VMware Tanzu:

Record the value in the CPU limit (percentage) field.

Note: Upgrading to this version from v2.1 or earlier restores this field to the default value of 50%. All other configuration details are kept when upgrading.
Download the latest version of Anti-Virus from VMware Tanzu Network to your local machine.
If you do not want to use an existing mirror, download the latest version Anti-Virus Mirror from VMware Tanzu Network to your local machine.
Upload the new .pivotal files to Ops Manager.
If required, upload any stemcells associated with the update.
Update any new mandatory configuration parameters. For information about what to configure for your version, see the table in Upgrade Considerations for Anti-Virus for VMware Tanzu above.

Complete Configuring Anti-Virus for VMware Tanzu and Apply Changes

The instructions to complete your configuration depend on whether:

You are using Anti-Virus Mirror and want to continue to using it. See Continue Using Anti-Virus Mirror below.
You are using an existing mirror. See Continue Using an Existing Mirror below.
You are currently using Anti-Virus Mirror, but want to switch to an existing mirror instead. See Switch to an Existing Mirror below.

Continue Using Anti-Virus Mirror

To complete your configuration if you are using Anti-Virus Mirror:

(Optional) To change the ports used by Anti-Virus and Anti-Virus Mirror, follow the instructions in Changing the Port Used by Anti-Virus and Anti-Virus Mirror.
If you have not done so as part of a previous step, apply configuration changes for your whole foundation:
1. Return to the Ops Manager Installation Dashboard and click Review Pending Changes.
2. Select all the products in your foundation and click Apply Changes.

Continue Using an Existing Mirror

To complete your configuration if you are using an existing mirror:

Check that the port used by Anti-Virus and your mirror are the same. If they are not, configure the Mirror Port used for Anti-Virus:
- To change the Mirror Port in Anti-Virus to use the port that your existing mirror uses, follow the procedure in Change the Port in the Anti-Virus Tile.
- To change the port on your existing mirror to use the Anti-Virus default of 6501, do that now.
If you have not done so as part of a previous step, apply configuration changes for your whole foundation:
1. Return to the Ops Manager Installation Dashboard and click Review Pending Changes.
2. Select all the products in your foundation and click Apply Changes.

Switch to an Existing Mirror

To complete your configuration if you are currently using Anti-Virus Mirror, but want to switch to an existing mirror instead:

Follow the instructions in Changing the Port Used by Anti-Virus with an Existing Mirror.

Upgrade Anti-Virus for VMware Tanzu to This Version from v2.1 or Later

To upgrade Anti-Virus for VMware Tanzu to v2.3 from v2.1 or later:

If you are upgrading from v2.1, record the value in the CPU limit (percentage) field.

Note: Upgrading to this version from v2.1 or earlier restores this field to the default value of 50%. All other configuration details are kept when upgrading.
Download the latest version of Anti-Virus from VMware Tanzu Network to your local machine.
If you do not have an existing mirror, download the latest version Anti-Virus Mirror from VMware Tanzu Network to your local machine.
Upload the new .pivotal files to Ops Manager.
If required, upload any stemcells associated with the update.
Update any new mandatory configuration parameters. For information about what to configure for the version you are updating to, see the table in Upgrade Considerations for Anti-Virus for VMware Tanzu above.
Return to the Ops Manager Installation Dashboard and click Review Pending Changes.
Ensure all products are selected and click Apply Changes.

Use an Existing Mirror

In v2.1.3, Anti-Virus only supported TLS when using mutual TLS (mTLS) with Anti-Virus Mirror.
In v2.1.6 and later, Anti-Virus permits the use of an existing mirror with TLS.

Note: mTLS is not available when using an existing mirror. The existing mirror serves the database files, which are outside of VMware’s control, and does not require two way authentication with the Anti-Virus process. Anti-Virus only needs to verify that it is communicating with the correct server by verifying its certificate.

If you are currently using Anti-Virus Mirror and want to use an existing mirror instead, VMware recommends that you configure Anti-Virus to use the new mirror before uninstalling Anti-Virus Mirror.

Configure the Mirror Port

In v2.0.x, the port used by Anti-Virus and Anti-Virus Mirror was 80 and was not configurable. In v2.1.x and later, the default port used is 6501 and is now configurable.

If you are using the Anti-Virus Mirror with Anti-Virus, do one of the following:

To use the default port with Anti-Virus and Anti-Virus Mirror, then you do not need to make any changes after upgrading.
To change the ports used by Anti-Virus and Anti-Virus Mirror, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.0 above.

If you are using an existing mirror with Anti-Virus, do one of the following:

Configure your existing mirror to use the default 6501 port used by Anti-Virus.
Configure Anti-Virus to use the port used by your existing mirror. To do this, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.0 above.