Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4887
Views
0
Helpful
3
Replies

Sourcefire - Malware cloud lookup fails with 'cloud lookup timeout'

muthumohan
Level 1
Level 1

‎02-24-2015 08:38 AM - edited ‎03-10-2019 06:20 AM

Hi,

I am performing malware clould lookup using FirePOWER on ASA. I see the file event when I transfer the file, but the FireSIGHT is unable to  submit the file SHA-256 for cloud lookup. It times out. The FireSIGHT management IP is able to access the Internet.

Does the malware cloud lookup need some subscription for it to work? I am running this in a lab setup with malware license.

What could be the reasons for this lookup failure. Due to this, the file disposition is 'unavailable'

 

Another related question. If my file policy action is to BlockMalware, and if the file disposition comes as unknown or unavailable, will the file be transferred or blocked?

 

Appreciate any help.

regds,

Mohan Muthu

5 people had this problem
Labels:
0 Helpful
3 Replies 3

dney
Level 1
Level 1

‎06-10-2015 07:02 AM

I'm kinda curious about this too as I see some events with 'Malware Cloud Lookup' and 'Cloud Lookup Timeout'

0 Helpful

steveahughes
Level 1
Level 1

‎07-21-2015 06:58 PM

Mohan,

Do you have you File policy configured for "Malware Cloud Lookup" or for "Dynamic Analysis?"  Or are you simply selecting a file and submitting it for analysis manually?  This would help in troubleshooting your issue.  Also, can you perform updates from the FireSight Management center?  Just curious if this gets out to the Internet.  The only subscription you need for Cloud lookups is a Protect and Control license, AMP and FireSight License. 

 

0 Helpful

jonwoloshyn
Level 4
Level 4

‎10-29-2015 01:28 PM

I was having this issue on an ASA5506 that wasn't using Firesight Management.

I opened a TAC case on this. Please have a look at Bug - CSCze95695

TAC provided the following workaround.
Please note that this only affects Kenton boxes which are managed on-box. Workaround is to run the following command. 
$ touch /etc/sf/network_malware_use_legacy.enable && pmtool restartbyid SFDataCorrelator
This work around will use port 32137 rather than 443 for malware cloud lookups. 
If you would like to reverse it in the future, Please run this command. 
$ rm /etc/sf/network_malware_use_legacy.enable && pmtool restartbyid SFDataCorrelator

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card