03-22-2016 02:30 PM - edited 03-12-2019 05:56 AM
Under System, Integration, AMP for Networks my FireSIGHT reports the Last Local Malware Detection Update as Thu Jan 28 18:13:40 2016. Is that correct?
If not is there a way to force or schedule an auto update? Everything else on my system (rules, geolocation) seems to be updating correctly. I just updated to FireSIGHT 6.0.1 and still have the same results.
03-25-2016 05:12 AM
Hi,
Are you also getting errors related to update failure for the same on the Firepower Management Center?
Thanks,
Ankita
03-25-2016 06:11 AM
I see numerous entries under System > Health > Events for AMP for Firepower Status where it says Successfully connected to cloud. The value is 0.
04-04-2018 02:05 PM
Same here. Successfully connected to cloud:
AMP for Firepower Status | AMP for Firepower Status | 2018-04-04 13:56:57 | Successfully connected to cloud | 0 | xx |
04-04-2018 01:42 PM
Seeing the same. Long time since last local m/w detection sync with cisco.
Last Local Malware Detection Update: Wed Dec 13 13:35:56 2017
No issues connecting to cloud, even enabled legacy outbound TCP/32137.
6.1.0.5-45, virtual.
04-05-2018 12:03 AM
Hello Vance
Please check if the messages show any error messages as follows:-
"Sourcefire3D SF-IMS[2420]: [2459] CloudAgent:ClamUpdater [ERROR] Could not open dir"
Check if the clamupdate.log shows the following error logs.
"hifistatic.cvd FAILED FIO_ERROR"
You can also check if the following directory is missing or not.
/var/sf/clamupd_download/
Regards
Jetsy
04-05-2018 07:57 AM - edited 04-05-2018 08:30 AM
Hello Jetsy, thank you for the reply,
1. Message log looks clean, no "ClamUpdater [ERROR]" found. Updates every 30 minutes, latest abbreviated message log:
Apr 5 14:20:41 . SF-IMS[4393]: [4393] CloudAgent:CloudAgent [INFO] ClamUpd, time to check for updates
Apr 5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] Removing file .. from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/..
Apr 5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] Removing file . from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/.
Apr 5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] chown successful
Apr 5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] The curl option for clam verify_peer=1 verify_host=1
Apr 5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] Removing file .. from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/..
Apr 5 14:20:41 . SF-IMS[4393]: [4437] CloudAgent:ClamUpdater [INFO] Removing file . from clamupd tmp dir. Full path is /var/sf/clamupd_download/tmp/.
2. The '/var/log/clamupdate.log' appears clean?
1484349440 preclass.cvd SUCCESS SUCCESS 1484349441 hifistatic.cvd SUCCESS SUCCESS 1487282062 preclass.cvd SUCCESS SUCCESS 1487282062 hifistatic.cvd SUCCESS SUCCESS 1487870803 hifistatic.cvd SUCCESS SUCCESS ... (repeated hifistatic.cvd success) 1513200956 hifistatic.cvd SUCCESS SUCCESS
3. The '/var/sf/clamupd_download/' directory looks populated with files and directories, along with timestamps:
root@xxx:/var/sf/clamupd_download# ls -ls total 3440 4 -rw-r--r-- 1 root root 114 Dec 13 21:35 checksum 4 drwxr-xr-x 2 www www 4096 Jan 13 2017 health 4 -rw-r--r-- 1 www www 110 Dec 13 21:35 health_status 3400 -rw-r--r-- 1 root root 3478378 Dec 13 21:35 hifistatic.cvd 4 drwxr-xr-x 2 www www 4096 Mar 15 17:51 peers 20 -rw-r--r-- 1 root root 16913 Feb 16 2017 preclass.cvd 4 drwxr-xr-x 2 www www 4096 Dec 13 21:35 tmp root@xxx:/var/sf/clamupd_download#
By all accounts the update mechanism(s) look to be functioning.
V.-
04-05-2018 11:56 PM
04-11-2018 02:45 PM
Solved.
Move the checksum file out of the way and when ClamAV does it's half-hour update,
the directory should populate with new CVD ClamAV database files.
SSH to the FMC
sudo -i
cd /var/sf/clamupd_download/
ls -ls # take note of timestamps on the files
mv checksum .. # I moved mine up a directory level
# watch for next cloudupdate agent pull, it may be every half hour.
cat /var/log/messages | grep ClamUpdater
# in /var/sf/clamup_download/
ls -ls # see if timestamps on the files change.
If the timestamps are new with a new checksum file created, the FMC should reflect the latest update time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide