Software updates

The base operating system for AMDP is currently Ubuntu focal 20.04 LTS and uses standard Ubuntu software update facilities and package management tools.

The system installation from the ISO includes baseline packages for AMDP and Ubuntu, as well as configuration for the related update repositories and the digital signatures for validating updates. The primary tool for managing updates is the standard Linux Advanced Packaging Tool (APT).

As part of the initial setup and registration, the amd_register tool invokes apt to update the system and AMDP software to the latest versions available from the update repositories.

After the system has been installed and registered, the update behavior can be changed. By default, the repositories are checked daily to see if there are available updates, and any updates which are eligible for automatic installation are applied. To change this behavior, use the amd_setup updates command.

To enable automatic updates for both AMDP and the system, use the following command:
amd_setup updates --system --amdp enable
or to disable automatic updates:
amd_setup updates --system --amdp disable
If either --system or --amdp are omitted, only the specified updates are affected by the command, so for example
amd_setup updates --amdp enable

enables updates for AMDP but doesn't change the setting for system updates.

Run amd_setup updates -h to see the available options for the command:
root@amd-mgr:~# amd_setup updates -h
usage: amd_setup updates [-h] [--system] [--amdp] {enable,disable}
 
positional arguments:
  {enable,disable}  Choose whether to enable or disable automatic updates
 
optional arguments:
  -h, --help        show this help message and exit
  --system          base system software updates
  --amdp            AMDP software updates

Automatic updates

The following package types are eligible for automatic update:
  • Security updates for system packages
  • AMDP administrative tools (wizard, cli)
  • AMDP services and health monitors
  • Threat Detection and Malware signatures (manager); (autoinstalled, but need to reload)
  • Sandbox VM monitors (engine); (autoinstalled, but VMs may need be rebuilt)

Manual updates

For updates which are not automatically applied, the following CLI command will upgrade all available packages to the most recent version.
Note: Some AMDP packages require special handling prior to upgrade (see Upgrade Special Handling Steps below).
apt update  # updates the information about available updates

apt list --upgradeable  # lists packages eligible for update

apt upgrade  # upgrade and install all eligible packages
or
apt install package(s) #  upgrade and install a particular package (or packages)
Note: The apt upgrade command will install non-security related system packages as well as the AMDP packages.

Check for available updates on the manager once a week for signature updates, and every few weeks for other updates.

Upgrade special handling steps

Some packages require special handling prior to and/or after upgrading, so we strongly recommend to use the apt list command to see what changes will be affected prior to deciding to use the apt upgrade command.

Malware signatures (Manager)

The malware signature package for the manager is updated frequently, so weekly you should check if the package (hatching-triage-processing) has been changed. In order for the signatures to be active, the triage processes need to be signaled to reload.
killall -HUP triage
CAUTION:
Avoid restarting the hatching-triage or hatching-triage-processing services until the signatures have been reloaded if there are active analysis in progress.

Static analysis service (Manager)

Prior to upgrading the hatching-triage package, it's desirable to quiesce the processing of new samples and finish ones in progress. Use the following command:
killall -TERM triage; while pidof triage >/dev/null; do echo -n .; sleep 1; done
Restart the service now:
systemctl restart hatching-triage

VM monitors and services (Engine)

Virtual machine monitors include some components which are installed in the virtual machine environments for the sandbox. While the monitor packages are automatically installed, the corresponding VMs may need to be rebuilt. When checking for general updates, run the following command to check if the VMs need to be rebuilt:
amd_setup sandbox --vmstatus

See Engine configuration for additional information on building VMs.

Sandbox manager and services (Engine)

Prior to upgrading the hatching-sandbox and hatching-sandbox-net packages, it's desirable to quiescent the processing of new samples and finish ones in progress. Use the following command:
killall -HUP sandbox; while pidof sandbox >/dev/null; do echo -n .; sleep 1; done
Restart the services now:
systemctl restart hatching-sandbox hatching-sandbox-net
After updating HatchVM (hatching-hatchvm and hatching-hatchavd packages), the hatchng-vms service must be restarted.
Note: Do not restart this service if there is an active VM build (see amd_setup sandbox --vmstatus).
systemctl restart hatching-vms

Packages requiring reboot

Some updates require the system to be rebooted to complete the installation, typically associated with a new kernel or core service. Generally, AMDP updates do not require a reboot, but a reboot is the easiest way to ensure all the associated services have been restarted following an upgrade.

General notes about package naming

AMDP package names start with "amd", "python3-amd", "hatching" or "tts".