https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748366#M1014269 <P>There is a Hotfix out for this issue.&nbsp;&nbsp;</P> Fri, 16 Nov 2018 20:05:17 GMT jont717 2018-11-16T20:05:17Z https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3708346#M1014267 <DIV class="lia-message-subject lia-component-message-view-widget-subject">&nbsp;</DIV> <P>I have a 5506-x ASA running version&nbsp;6.2.3.4 (build 42) for my firepower. It appears that even though i have the license installed, the AMP database hasn't been able to update since mid of August.</P> <P>&nbsp;</P> <P>The problem seems to be with the certificate not being trusted?</P> <P>&nbsp;</P> <PRE>Sep 17 13:40:05 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Removing file hifistatic.cvd from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/hifistatic.cvd Sep 17 13:40:05 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Removing file . from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/. Sep 17 13:40:05 firepower SF-IMS[5640]: [5713] CloudAgentlamUpdater [INFO] Removing file .. from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/.. Sep 17 14:10:02 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Removing file . from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/. Sep 17 14:10:02 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Removing file .. from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/.. Sep 17 14:10:02 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] chown successful Sep 17 14:10:02 firepower SF-IMS[5640][5713] CloudAgent:ClamUpdater [INFO] The curl option for clam verify_peer=1 verify_host=2 Sep 17 14:10:02 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Hifistatic Clam Ruleset being updated Sep 17 14:10:05 firepower SF-IMS[5640]: [5713] <STRONG>CloudAgent:ClamUpdater [WARN] Download unsuccessful: Peer certificate cannot be authenticated with given CA</STRONG> </PRE> <P>I have the option to update firepower to version&nbsp;<SPAN>6.2.3.5-52 but haven't performed this yet. Connection to the Server appears to be fine</SPAN></P> <P>&nbsp;</P> <PRE>root@firepower:/var/sf/clamupd_download# sudo openssl s_client -connect support .sourcefire.com:443 Last login: Mon Sep 17 20:03:13 UTC 2018 CONNECTED(00000003) depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/CN=support.sourcefire.com i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primry Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGKjCCBRKgAwIBAgIQCffv0Y7LSoM3zG/mYfvT2DANBgkqhkiG9w0BAQsFADBj MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE b21haW4gVmFsaWRhdGVkIFNTTDEeMBwGA1UEAxMVdGhhd3RlIERWIFNTTCBDQSAt IEcyMB4XDTE4MDgxNzMDAwMFoXDTIwMDgxNzIzNTk1OVowITEfMB0GA1UEAxMW c3VwcG9ydC5zb3VyY2VmaXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAMn/fh7hL9Yu+DWUYyO1o94+ULyl31V6iI+718hYjVyYyYoncsp/uXUj rtOx5sTv2xvC6eLQAe1momFH6Soviy/bU7K0bppBGzpGje8O5Cqzk0cbRMqHyP/M HY6piEfg+4gQXltj88NsXHWIRt/+xufB2ZA5mpKUrxdR8vGQVKSXwpmEAdpaki2u DeXst1Bus9UrgSfaEEoYkOLzlFZOnsz0+I/opYMMlhFkGHrKwTYzoL8vm/YTOzMn CFZFOrs+VwVUlZ6VPSmiT4EiE2e2Zc160Ky8pXqArPsfwB+7eA5lQWNx6Bkn2ZMR LcIORL2xaYGKTxI2HsKNEFmsY9ykXzsCAwEAAaOCAxowggMWMB0GA1UdDgQWBBSo fk/rOmQAZ9aZ93rLw4yyxzZYczAhBgNVHREEGjAYghZzdXBwb3JnNvdXJjZWZp cmUuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vdG4uc3lt Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdG4uc3ltY2IuY29tL3RuLmNydDAJ BgNVHRMEAjAAMG4GA1UdIARnMGUwYwYGZ4EMAQIBMFkwJgYIKwYBBQUHAgEWGmh0 dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBzOi8v d3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTArBgNVHR8EJDAiMCCgHqAchhpodHRw Oi8vdG4uc3ltY2IuY29tL3RuLmNybDAfBgNVHSMEGDAWgBSfuMGpbPL1wCIqlO1c mazU7NfGBzCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcA3esdK3oNT6Ygi4Gt gWhwfi6OnQHVXIiNPRzbbsvswAAAFlSaiwhgAABAMASDBGAiEAy9EM8zCNyGa9 SzgHtjDEA8mAmeMCMQ6E8YK+FgQAktICIQCguUgljj6TC4Wdjuf3k9TE2Kx2Prmz bo/ROm7tBCIRAwB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAAB ZUmosJYAAAQDAEcwRQIgPJpsKYhy1a4pgV8ZUaHzJQHMnz1lkmyBULZ9PRzO/NgC IQCQ3zXcwnECWlzHUbThPxKxqk3nR7ZN9eDJUwBezfcurQB2AO5Lvbd1zmC64UJp H6vhnmajD35fsHLYgwDEe4l6qP3LAAABZUmosMEAAAQDAEcwRQIgSPggiga+pdRi 8s9sODMFByruWgqMTafRY5RA7Qh3cbgCIQD5hRG8rOAkxsbKUpUdsagGlpDO704C eLjEVW1uENWOqTANBgkqhkiG9w0BAQsFAAOCAQEARbAtM8+WXmipvvbS2oI7b6ai wTCvhZG+fJ8VSnnWK0+Eiyed5VIo/TWPTTcaMbOK4PplujHIAyGjYvRoYfz8Vb a6NfRPxp1A9aLYJpo3cpYEfuJ43Q/dnwcg6Cb+4q1WaVpChD2cny5V/bIWRCVLUm B0e+Myo06IWvJWbAaaTv4YnpAQA/v+gFstWSzhA2KV2EgVaXGy/qaBCt8HNxrXa0 GqDEQ10F9GqwLhKiJtsh8Tr2jLLA+YZFnrIOUKOo0GkwHqNIUyH52n7ZUkHNxP4b /3aOvQ2H1QdgKl9Cv0bm31M18X+DTpZxLyEf9rPZa3aYjlil8e8xYXbwi8uqjg== -----END CERTIFICATE----- subject=/CN=support.sourcefire.com issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 14 bytes and written 373 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: ABBA000CC6B86AB9307297C1E555F128A313869DCD24F249097D19A578B02509 Session-ID-ctx: Master-Key: AB9B6ADA1B0AB9ACF2BA8C10A487CCF0E4CB8A3245F44D3B51EFB9BDAB3D6A3522EA661574AF9ECE38B5F0F9B224BA68 Key-Arg : None PSK identity: Ne PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c8 b2 28 07 43 c4 99 55-77 a8 0e 11 8c ec 4e 43 ..(.C..Uw.....NC 0010 - a1 9a 0b a9 37 a9 72 4d-5e b5 0f 41 f0 5e b8 bc ....7.rM^..A.^.. 0020 - 67 a6 08 44 5c dc 0f 18-d8 7c 4c d5 1d bd 05 06 g..D\....|L..... 0030 - 54 5f a6 3a 98 dc 75 8f-1a 3d 24 81 9e d0 23 36 T_.:..u..=$...#6 0040 - 47 60 fa 51 1c 33 33 3f-70 b1 24 6b 04 7b 30 90 G`.Q.33?p.$k.{0. 0050 - 2c 6a 4c d5 84 50 dd7-b3 2e d7 8f fc a0 c1 c3 ,jL..P.......... 0060 - fb 45 fe 63 77 89 09 36-68 9d 07 ad 94 46 3c 66 .E.cw..6h....F&lt;f 0070 - 8f a3 07 e0 0b b8 de 78-d8 c5 a8 6a 4d 38 9c 1b .......x...jM8.. 0080 - 7b 23 b4 fe c7 c3 33 31-7c d6 17 90 bf 78 3b fe {#....31|....x;. 0090 - 34 39 87 b7 6a 11 53 86-b3 b5 27 47 1b 39 77 f9 49..j.S...'G.9w. 00a0 - d5 36 21 2e fa 88 d6 8d-31 4c fa 53 ad 92 47 db .6!.....1L.S..G. 00b0 - e2 53 1a 24 a6 a7 c4 2c-c2 18 2e d6 13 88 49 a5 .S.$...,......I. Start Time: 1537214704 Tiout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- GET / HTTP/1.1 200 OK X-Powered-By: Express accept-ranges: bytes content-type: text/html date: Mon, 17 Sep 2018 20:05:28 GMT etag: "50b2-455d-545340871e106" last-modified: Tue, 03 Jan 2017 17:31:05 GMT server: Apache content-length: 17757 connection: Close</PRE> <P><SPAN>Any suggestions?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks</SPAN></P> <DIV id="messageBodySimpleDisplay" class="lia-message-body lia-component-body-signature-highlight-escalation">&nbsp;</DIV> Tue, 12 Mar 2019 13:58:34 GMT https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3708346#M1014267 pantelis1 2019-03-12T13:58:34Z https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3708670#M1014268 <P>seems like intelligence.sourcefire.com certificate&nbsp;is not signed properly. Maybe one of the servers sitting behind the loadbalancer is not configured correctly?&nbsp;</P> Tue, 18 Sep 2018 11:24:29 GMT https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3708670#M1014268 pantelis1 2018-09-18T11:24:29Z https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748366#M1014269 <P>There is a Hotfix out for this issue.&nbsp;&nbsp;</P> Fri, 16 Nov 2018 20:05:17 GMT https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748366#M1014269 jont717 2018-11-16T20:05:17Z https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748514#M1014270 <P>It could be this bug:</P> <P>&nbsp;</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm03931" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm03931</A></P> <P>&nbsp;</P> <P>Release 6.2.3.7 (just out this week) fixes it.</P> Sat, 17 Nov 2018 04:35:58 GMT https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748514#M1014270 Marvin Rhoads 2018-11-17T04:35:58Z https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748639#M1014272 <P>Updating to 6.2.3.7 and will confirm- Thanks</P> Sat, 17 Nov 2018 16:02:52 GMT https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748639#M1014272 pantelis1 2018-11-17T16:02:52Z https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748641#M1014273 <P>hi,</P> <P><STRONG>6.2.3.7</STRONG>&nbsp;already released, try to upgrade this version and check.</P> <P>&nbsp;</P> <P>HTH</P> <P>Abheesh</P> Sat, 17 Nov 2018 15:53:59 GMT https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748641#M1014273 Abheesh Kumar 2018-11-17T15:53:59Z https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748837#M1014275 <P>Are you using FMC?</P> <P>&nbsp;</P> <P>This is the bug.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P><A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm81052" target="_blank">https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm81052</A></P> <P>&nbsp;</P> <P>You need to install the hotfix.&nbsp; Fixed it for me.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 18 Nov 2018 14:17:01 GMT https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3748837#M1014275 jont717 2018-11-18T14:17:01Z https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3749207#M1014276 <P>upgrading to the new version didn't fix it for me. I had to manually adjust the certificate. AMP database has been updated</P> Mon, 19 Nov 2018 12:31:09 GMT https://community.cisco.com/t5/network-security/last-local-malware-detection-not-up-to-date/m-p/3749207#M1014276 pantelis1 2018-11-19T12:31:09Z