topic I'm kinda curious about this in Network Security

Sourcefire - Malware cloud lookup fails with 'cloud lookup timeout'

muthumohan — Sun, 10 Mar 2019 13:20:07 GMT

Hi,

I am performing malware clould lookup using FirePOWER on ASA. I see the file event when I transfer the file, but the FireSIGHT is unable to submit the file SHA-256 for cloud lookup. It times out. The FireSIGHT management IP is able to access the Internet.

Does the malware cloud lookup need some subscription for it to work? I am running this in a lab setup with malware license.

What could be the reasons for this lookup failure. Due to this, the file disposition is 'unavailable'

Another related question. If my file policy action is to BlockMalware, and if the file disposition comes as unknown or unavailable, will the file be transferred or blocked?

Appreciate any help.

regds,

Mohan Muthu

I'm kinda curious about this

dney — Wed, 10 Jun 2015 14:02:55 GMT

I'm kinda curious about this too as I see some events with 'Malware Cloud Lookup' and 'Cloud Lookup Timeout'

Mohan,Do you have you File

steveahughes — Wed, 22 Jul 2015 01:58:15 GMT

Mohan,

Do you have you File policy configured for "Malware Cloud Lookup" or for "Dynamic Analysis?" Or are you simply selecting a file and submitting it for analysis manually? This would help in troubleshooting your issue. Also, can you perform updates from the FireSight Management center? Just curious if this gets out to the Internet. The only subscription you need for Cloud lookups is a Protect and Control license, AMP and FireSight License.

I opened a TAC case on this.

jonwoloshyn — Thu, 29 Oct 2015 20:28:08 GMT

I was having this issue on an ASA5506 that wasn't using Firesight Management.

I opened a TAC case on this. Please have a look at Bug - CSCze95695

TAC provided the following workaround.

Please note that this only affects Kenton boxes which are managed on-box. Workaround is to run the following command.

$ touch /etc/sf/network_malware_use_legacy.enable && pmtool restartbyid SFDataCorrelator

This work around will use port 32137 rather than 443 for malware cloud lookups.

If you would like to reverse it in the future, Please run this command.

$ rm /etc/sf/network_malware_use_legacy.enable && pmtool restartbyid SFDataCorrelator