Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2065
Views
0
Helpful
8
Replies

Last Local Malware Detection

Pacerfan9_2
Level 1
Level 1

‎03-22-2016 02:30 PM - edited ‎03-12-2019 05:56 AM

Under System, Integration, AMP for Networks my FireSIGHT reports the Last Local Malware Detection Update as Thu Jan 28 18:13:40 2016. Is that correct?

If not is there a way to force or schedule an auto update? Everything else on my system (rules, geolocation) seems to be updating correctly. I just updated to FireSIGHT 6.0.1 and still have the same results.

5 people had this problem
Labels:
0 Helpful
8 Replies 8

ankojha
Level 3
Level 3

‎03-25-2016 05:12 AM

Hi,

Are you also getting errors related to update failure for the same on the Firepower Management Center?

Thanks,

Ankita

0 Helpful

Pacerfan9_2
Level 1
Level 1
In response to ankojha

‎03-25-2016 06:11 AM

I see numerous entries under System > Health > Events for AMP for Firepower Status where it says Successfully connected to cloud. The value is 0.

0 Helpful

UpgradingToPaloAlto
Level 1
Level 1

‎04-04-2018 01:42 PM

Seeing the same.  Long time since last local m/w detection sync with cisco. 

 

Last Local Malware Detection Update: Wed Dec 13 13:35:56 2017

 

No issues connecting to cloud, even enabled legacy outbound TCP/32137. 

 

6.1.0.5-45, virtual.

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to UpgradingToPaloAlto

‎04-05-2018 12:03 AM

Hello Vance

 

Please check if the  messages show any error messages as follows:-

"Sourcefire3D SF-IMS[2420]: [2459] CloudAgent:ClamUpdater [ERROR] Could not open dir" 

 

Check if the clamupdate.log shows  the following error logs.

"hifistatic.cvd FAILED FIO_ERROR"


You can also check if the following directory is missing or not.

/var/sf/clamupd_download/

 

Regards

Jetsy 

0 Helpful

UpgradingToPaloAlto
Level 1
Level 1
In response to Jetsy Mathew

‎04-05-2018 07:57 AM - edited ‎04-05-2018 08:30 AM

Hello Jetsy, thank you for the reply,

 

1. Message log looks clean, no "ClamUpdater [ERROR]" found.  Updates every 30 minutes, latest abbreviated message log:

Apr  5 14:20:41 . SF-IMS[4393]: [4393] CloudAgent:CloudAgent [INFO] ClamUpd, time to check for updates
Apr  5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] Removing file .. from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/..
Apr  5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] Removing file . from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/.
Apr  5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] chown successful
Apr  5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] The curl option for clam verify_peer=1  verify_host=1
Apr  5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] Removing file .. from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/..
Apr  5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] Removing file . from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/.

 

2.  The '/var/log/clamupdate.log' appears clean?

1484349440 preclass.cvd SUCCESS SUCCESS
1484349441 hifistatic.cvd SUCCESS SUCCESS
1487282062 preclass.cvd SUCCESS SUCCESS
1487282062 hifistatic.cvd SUCCESS SUCCESS
1487870803 hifistatic.cvd SUCCESS SUCCESS
... (repeated hifistatic.cvd success)
1513200956 hifistatic.cvd SUCCESS SUCCESS

 

3. The '/var/sf/clamupd_download/' directory looks populated with files and directories, along with timestamps:

root@xxx:/var/sf/clamupd_download# ls -ls
total 3440
   4 -rw-r--r-- 1 root root     114 Dec 13 21:35 checksum
   4 drwxr-xr-x 2 www  www     4096 Jan 13  2017 health
   4 -rw-r--r-- 1 www  www      110 Dec 13 21:35 health_status
3400 -rw-r--r-- 1 root root 3478378 Dec 13 21:35 hifistatic.cvd
   4 drwxr-xr-x 2 www  www     4096 Mar 15 17:51 peers
  20 -rw-r--r-- 1 root root   16913 Feb 16  2017 preclass.cvd
   4 drwxr-xr-x 2 www  www     4096 Dec 13 21:35 tmp
root@xxx:/var/sf/clamupd_download#

 

By all accounts the update mechanism(s) look to be functioning. 

V.-

 

 

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to UpgradingToPaloAlto

‎04-05-2018 11:56 PM

Hello Vance

In that case I would recommend you to open a TAC case so that we can investigate if there is any known issue causing this behaviour.

Regards
Jetsy
0 Helpful

UpgradingToPaloAlto
Level 1
Level 1
In response to UpgradingToPaloAlto

‎04-11-2018 02:45 PM

Solved.

Move the checksum file out of the way and when ClamAV does it's half-hour update,

the directory should populate with new CVD ClamAV database files.

 

SSH to the FMC

sudo -i

cd /var/sf/clamupd_download/

ls -ls          # take note of timestamps on the files

mv checksum ..      # I moved mine up a directory level

 

# watch for next cloudupdate agent pull, it may be every half hour.

cat /var/log/messages | grep ClamUpdater

 

# in /var/sf/clamup_download/

ls -ls      # see if timestamps on the files change. 

 

If the timestamps are new with a new checksum file created, the FMC should reflect the latest update time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card