02-16-2014 10:36 PM - edited 03-11-2019 08:46 PM
I have a Cisco ASA 5520, with Cisco ASA-SSM-CSC-10-K9. ASA version 8.4.3.
Since two days ago, automatic anti-virus pattern update for Cisco CSC SSM failed, error message as below:
AntiVirusPattern : Pattern Update: The download file was unsuccessful for ActiveUpdate was unable to verify security information. The local trusted info database is corrupted. Please contact Trend Micro technical support.. The error code is 62.
The license is valid and the subscription is expired on Sep 2014.
Any body encountered similar problem before?
Any body has Trend Micro Cisco CSC SSM helpdesk contact?
I can't find any Trend Micro info for Cisco CSC SSM.
Solved! Go to Solution.
02-17-2014 05:51 AM
Nope, still waiting...
02-17-2014 05:55 AM
just got this:
Action Plan:
This issue is seen because of RAM storage used to store pattern files while performing the updates, is not enough.
To resolve this, follow the below steps:
- Login to CSC via ASA CLI using command ‘session 1’. The username would be ‘cisco’ and the password would be the one which you use to login via GUI.
- Go to troubleshooting tools and then enable the root account.
- Now exit from here and login again via ‘session 1’ but this time, use the ‘root’ as the username and password as ‘cisco’.
- You would be prompted to change the password once logged in. Change it to any value of your choice.
- You would land at “-bash-3.00#” prompt. Copy and then paste the below command:
vi /etc/init.d/S01init_ISVW
- Add the RED line from the following output. It must be at this point in the file.
- Use ‘j’ to move cursor down.
case "$1" in
init) # for /loadrc to init before /sbin/init is started
dbg "init"
# ldconfig
dbg "ldconfig"
ldconfig 2>/dev/null
# sync kernel time with BIOS time (assume localtime as in ui_helper)
dbg "Set H/W clock"
/sbin/hwclock -s --localtime
# adjust linux kernel params
dbg "Adjust kernel params"
# adjust TCP windows size
echo "1" > /proc/sys/net/ipv4/tcp_adv_win_scale
echo "6144 262140 262140" > /proc/sys/net/ipv4/tcp_rmem
echo "6144 24576 196608" > /proc/sys/net/ipv4/tcp_wmem
# promote routing cache expiration
echo "30" > /proc/sys/net/ipv4/route/gc_interval
echo "60" > /proc/sys/net/ipv4/route/gc_timeout
# set core dump feature
echo 1 > /proc/sys/kernel/core_uses_pid
echo "/coredump/core-%e-%s-%p-%t.gz" > /proc/sys/kernel/core_pattern
# set system-related module difference
if [ -f $ISVW_HOME/script/ISmodulecfg ]; then
dbg "ISmodulecfg preinit"
sh $ISVW_HOME/script/ISmodulecfg preinit
else
warn "ISmodulecfg not found"
fi
# move preset directory to prototype
[ -d $ISVW_HOME/prototype ] || warn "Unable to locate $ISVW_HOME/prototype"
# mount major tmpfs from fstab
for i in $TMPFS_DIRS; do
dbg "+ mount tmpfs $ISVW_HOME/$i"
[ -d $ISVW_HOME/$i ] || mkdir -p $ISVW_HOME/$i
mount $ISVW_HOME/$i || warn "Fail to mount $ISVW_HOME/$i"
[ -d $ISVW_HOME/prototype/$i ] \
&& cp -a $ISVW_HOME/prototype/$i/* $ISVW_HOME/$i
chown -R isvw.isvw $ISVW_HOME/$i > /dev/null 2>&1
done
# set permission for TMASE cache
chown isvw.isvw $ISVW_HOME/lib/mail/cache
# mount /coredump
dbg "Mount /coredump"
mkdir /coredump
mount /coredump || warn "Fail to mount /coredump"
mount none /opt/trend/isvw/lib/mail/AU_Data/AU_Temp -t tmpfs -o rw,size=100M
# create /var/run/isvw
dbg "Mount /var"
[ -d /var ] || mkdir /var
mount -n /var
mkdir -p /var/run/isvw
chown isvw.isvw /var/run/isvw
- Save the file by hitting 'ESCAPE' and then :wq
- Mount the tmpfs for the folder now using below command:
-bash-3.00# mount none /opt/trend/isvw/lib/mail/AU_Data/AU_Temp -t tmpfs -o rw,size=100M
- Confirm that the filesystem now has this mounted with the command df -h:
-bash-3.00# df -h
Filesystem Size Used Available Use% Mounted on
/dev/hda2 218.1M 174.0M 32.8M 84% /mnt/rw
/dev/hda2 218.1M 174.0M 32.8M 84% /dev
/dev/hda2 218.1M 174.0M 32.8M 84% /etc
/dev/hda2 218.1M 174.0M 32.8M 84% /home
/dev/hda2 218.1M 174.0M 32.8M 84% /lib/modules
/dev/hda2 218.1M 174.0M 32.8M 84% /opt
none 250.0M 0 250.0M 0% /opt/trend/isvw/temp
none 49.0M 20.8M 28.2M 43% /opt/trend/isvw/log
none 4.0M 0 4.0M 0% /opt/trend/isvw/quarantine
none 5.0M 0 5.0M 0% /opt/trend/isvw/queue
none 101.0M 104.0k 100.9M 0% /opt/trend/isvw/tmpfs
none 99.0M 33.6M 65.4M 34% /opt/trend/isvw/lib/mail/cache
none 98.0M 0 98.0M 0% /coredump
none 100.0M 0 100.0M 0% /opt/trend/isvw/lib/mail/AU_Data/AU_Temp
none 8.0M 220.0k 7.8M 3% /var
/dev/boot 18.6M 8.2M 9.4M 47% /boot
none 201.0M 40.0k 201.0M 0% /tmp
Once completed, please try to update pattern file and let me know in case of any queries.
02-17-2014 06:05 AM
What does this mean:
- Add the RED line from the following output. It must be at this point in the file.
I see nothing in RED in the directions and the part where it says: "it must be at this point in the file" is too clear.
Thanks,
Jim
02-17-2014 10:31 AM
Note, please do not make these changes to solve error code 62. These changes should only be done under specific instruction from TAC as a corner case scenario. Error code 62 will not be fixed by the above changes.
03-17-2014 05:03 AM
Hi Magnus, have read through this discussion after having the same issues. I have re-imaged our CSC to 6.6.1125.0 applied patch 1145 in the manner suggested in this forum. The Virus Pattern File seems to be updated without error, but now get a Failed error
AntiVirusEngine : Virus scan engine 9.75.1005 was successfully downloaded and installed.
Unable to backup file /opt/trend/isvw/lib/libvsapi.so. You need to manually copy file /opt/trend/isvw/temp/AU/libvsapi.so to path /opt/trend/isvw/lib.
Have not been able to resolve this problem, do you have any suggestions please
Thanks Paul
02-17-2014 06:05 AM
Hi,
This is a know issue that seems to be affecting a lot of customers off late.
The root cause for the issue seems to be the inability of the CSC module to verify the signed pattern package that it downloads because the signer certificate has expired.
This has already been reported to Trend and there is a patch available for the same (6.6.1125.0.1140).
Please find below the release notes information for the same.
This hot fix resolves the following issue: Issue: The ActiveUpdate module for Stargate supports "root signed" certificates only. However, "root signed" certificates will expire by March 2015. By that time, every SSL server certificate must be issued by an intermediate CA. Since the ActiveUpdate module does not support intermediate CA certificates, all ActiveUpdate updates will eventually fail. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix updates the ActiveUpdate module to enable CSC to support intermediate CA certificates.
I would request you to open a TAC case so that the patch can be applied to the module.
HTH
Kamalesh
02-17-2014 06:47 AM
just received a patch
testing
02-17-2014 08:24 AM
I don't see the patch on Cisco website, did you have to recieve it direct from TAC?
02-17-2014 09:00 AM
Its attached to my tac case
Sent from Cisco Technical Support iPhone App
02-17-2014 09:17 AM
Looks like a common thing, however, has not been confirmed as answered yet. Does the patch work?
02-17-2014 09:48 AM
Any way to fix ASA-SSM-CSC-10 ver. 6.3.1172.0 ?
02-17-2014 10:29 AM
This issue is caused by a change in the certificate used to sign the updates. A fix is available for CSC Module version 6.6.1125.0. The fix is Patch 1140. Give me a few minutes and I'll have a link for you.
02-17-2014 11:02 AM
CSC Module patc 1144 is available on Trend Micro's safesync server:
See
02-17-2014 11:47 AM
Test done.
Patch 1140 - working =)
Thank you very much.
02-17-2014 11:53 AM
Denis,
Thanks for the update. Our apologies for the confusion!
- Magnus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide