cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2788
Views
5
Helpful
7
Replies

Last Local Malware Detection not up to date

pantelis1
Level 1
Level 1
 

I have a 5506-x ASA running version 6.2.3.4 (build 42) for my firepower. It appears that even though i have the license installed, the AMP database hasn't been able to update since mid of August.

 

The problem seems to be with the certificate not being trusted?

 

Sep 17 13:40:05 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Removing file hifistatic.cvd from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/hifistatic.cvd
Sep 17 13:40:05 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Removing file . from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/.
Sep 17 13:40:05 firepower SF-IMS[5640]: [5713] CloudAgentlamUpdater [INFO] Removing file .. from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/..
Sep 17 14:10:02 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Removing file . from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/.
Sep 17 14:10:02 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Removing file .. from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/..
Sep 17 14:10:02 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] chown successful
Sep 17 14:10:02 firepower SF-IMS[5640][5713] CloudAgent:ClamUpdater [INFO] The curl option for clam verify_peer=1  verify_host=2
Sep 17 14:10:02 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [INFO] Hifistatic Clam Ruleset being updated
Sep 17 14:10:05 firepower SF-IMS[5640]: [5713] CloudAgent:ClamUpdater [WARN] Download unsuccessful: Peer certificate cannot be authenticated with given CA 

I have the option to update firepower to version 6.2.3.5-52 but haven't performed this yet. Connection to the Server appears to be fine

 

root@firepower:/var/sf/clamupd_download# sudo openssl s_client -connect support
.sourcefire.com:443
Last login: Mon Sep 17 20:03:13 UTC 2018
CONNECTED(00000003)
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=support.sourcefire.com
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primry Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKjCCBRKgAwIBAgIQCffv0Y7LSoM3zG/mYfvT2DANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEeMBwGA1UEAxMVdGhhd3RlIERWIFNTTCBDQSAt
IEcyMB4XDTE4MDgxNzMDAwMFoXDTIwMDgxNzIzNTk1OVowITEfMB0GA1UEAxMW
c3VwcG9ydC5zb3VyY2VmaXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMn/fh7hL9Yu+DWUYyO1o94+ULyl31V6iI+718hYjVyYyYoncsp/uXUj
rtOx5sTv2xvC6eLQAe1momFH6Soviy/bU7K0bppBGzpGje8O5Cqzk0cbRMqHyP/M
HY6piEfg+4gQXltj88NsXHWIRt/+xufB2ZA5mpKUrxdR8vGQVKSXwpmEAdpaki2u
DeXst1Bus9UrgSfaEEoYkOLzlFZOnsz0+I/opYMMlhFkGHrKwTYzoL8vm/YTOzMn
CFZFOrs+VwVUlZ6VPSmiT4EiE2e2Zc160Ky8pXqArPsfwB+7eA5lQWNx6Bkn2ZMR
LcIORL2xaYGKTxI2HsKNEFmsY9ykXzsCAwEAAaOCAxowggMWMB0GA1UdDgQWBBSo
fk/rOmQAZ9aZ93rLw4yyxzZYczAhBgNVHREEGjAYghZzdXBwb3JnNvdXJjZWZp
cmUuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vdG4uc3lt
Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdG4uc3ltY2IuY29tL3RuLmNydDAJ
BgNVHRMEAjAAMG4GA1UdIARnMGUwYwYGZ4EMAQIBMFkwJgYIKwYBBQUHAgEWGmh0
dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBzOi8v
d3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTArBgNVHR8EJDAiMCCgHqAchhpodHRw
Oi8vdG4uc3ltY2IuY29tL3RuLmNybDAfBgNVHSMEGDAWgBSfuMGpbPL1wCIqlO1c
mazU7NfGBzCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcA3esdK3oNT6Ygi4Gt
gWhwfi6OnQHVXIiNPRzbbsvswAAAFlSaiwhgAABAMASDBGAiEAy9EM8zCNyGa9
SzgHtjDEA8mAmeMCMQ6E8YK+FgQAktICIQCguUgljj6TC4Wdjuf3k9TE2Kx2Prmz
bo/ROm7tBCIRAwB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAAB
ZUmosJYAAAQDAEcwRQIgPJpsKYhy1a4pgV8ZUaHzJQHMnz1lkmyBULZ9PRzO/NgC
IQCQ3zXcwnECWlzHUbThPxKxqk3nR7ZN9eDJUwBezfcurQB2AO5Lvbd1zmC64UJp
H6vhnmajD35fsHLYgwDEe4l6qP3LAAABZUmosMEAAAQDAEcwRQIgSPggiga+pdRi
8s9sODMFByruWgqMTafRY5RA7Qh3cbgCIQD5hRG8rOAkxsbKUpUdsagGlpDO704C
eLjEVW1uENWOqTANBgkqhkiG9w0BAQsFAAOCAQEARbAtM8+WXmipvvbS2oI7b6ai
wTCvhZG+fJ8VSnnWK0+Eiyed5VIo/TWPTTcaMbOK4PplujHIAyGjYvRoYfz8Vb
a6NfRPxp1A9aLYJpo3cpYEfuJ43Q/dnwcg6Cb+4q1WaVpChD2cny5V/bIWRCVLUm
B0e+Myo06IWvJWbAaaTv4YnpAQA/v+gFstWSzhA2KV2EgVaXGy/qaBCt8HNxrXa0
GqDEQ10F9GqwLhKiJtsh8Tr2jLLA+YZFnrIOUKOo0GkwHqNIUyH52n7ZUkHNxP4b
/3aOvQ2H1QdgKl9Cv0bm31M18X+DTpZxLyEf9rPZa3aYjlil8e8xYXbwi8uqjg==
-----END CERTIFICATE-----
subject=/CN=support.sourcefire.com
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 14 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: ABBA000CC6B86AB9307297C1E555F128A313869DCD24F249097D19A578B02509
    Session-ID-ctx:
    Master-Key: AB9B6ADA1B0AB9ACF2BA8C10A487CCF0E4CB8A3245F44D3B51EFB9BDAB3D6A3522EA661574AF9ECE38B5F0F9B224BA68
    Key-Arg   : None
    PSK identity: Ne
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c8 b2 28 07 43 c4 99 55-77 a8 0e 11 8c ec 4e 43   ..(.C..Uw.....NC
    0010 - a1 9a 0b a9 37 a9 72 4d-5e b5 0f 41 f0 5e b8 bc   ....7.rM^..A.^..
    0020 - 67 a6 08 44 5c dc 0f 18-d8 7c 4c d5 1d bd 05 06   g..D\....|L.....
    0030 - 54 5f a6 3a 98 dc 75 8f-1a 3d 24 81 9e d0 23 36   T_.:..u..=$...#6
    0040 - 47 60 fa 51 1c 33 33 3f-70 b1 24 6b 04 7b 30 90   G`.Q.33?p.$k.{0.
    0050 - 2c 6a 4c d5 84 50 dd7-b3 2e d7 8f fc a0 c1 c3   ,jL..P..........
    0060 - fb 45 fe 63 77 89 09 36-68 9d 07 ad 94 46 3c 66   .E.cw..6h....F<f
    0070 - 8f a3 07 e0 0b b8 de 78-d8 c5 a8 6a 4d 38 9c 1b   .......x...jM8..
    0080 - 7b 23 b4 fe c7 c3 33 31-7c d6 17 90 bf 78 3b fe   {#....31|....x;.
    0090 - 34 39 87 b7 6a 11 53 86-b3 b5 27 47 1b 39 77 f9   49..j.S...'G.9w.
    00a0 - d5 36 21 2e fa 88 d6 8d-31 4c fa 53 ad 92 47 db   .6!.....1L.S..G.
    00b0 - e2 53 1a 24 a6 a7 c4 2c-c2 18 2e d6 13 88 49 a5   .S.$...,......I.

    Start Time: 1537214704
    Tiout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---


GET /

HTTP/1.1 200 OK
X-Powered-By: Express
accept-ranges: bytes
content-type: text/html
date: Mon, 17 Sep 2018 20:05:28 GMT
etag: "50b2-455d-545340871e106"
last-modified: Tue, 03 Jan 2017 17:31:05 GMT
server: Apache
content-length: 17757
connection: Close

Any suggestions?

 

Thanks

 
1 Accepted Solution

Accepted Solutions

Are you using FMC?

 

This is the bug.  

 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm81052

 

You need to install the hotfix.  Fixed it for me. 

 

 

View solution in original post

7 Replies 7

pantelis1
Level 1
Level 1

seems like intelligence.sourcefire.com certificate is not signed properly. Maybe one of the servers sitting behind the loadbalancer is not configured correctly? 

There is a Hotfix out for this issue.  

It could be this bug:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm03931

 

Release 6.2.3.7 (just out this week) fixes it.

Updating to 6.2.3.7 and will confirm- Thanks

hi,

6.2.3.7 already released, try to upgrade this version and check.

 

HTH

Abheesh

Are you using FMC?

 

This is the bug.  

 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm81052

 

You need to install the hotfix.  Fixed it for me. 

 

 

upgrading to the new version didn't fix it for me. I had to manually adjust the certificate. AMP database has been updated

Review Cisco Networking for a $25 gift card