- Documentation
- Where do I download the latest code for the CSC module?
- How do I re-image the CSC module?
- How to upgrade the module to a new .pkg file?
- CSC is not scanning e-mail traffic or is sending in a lot of SPAM.
- check if the e-mail traffic is being sent to the module for scanning
- check if the Trend GUI is configured to scan inbound e-mail traffic
- check if the e-mail header shows the Trend Micro stamp.
- How to submit SPAM messages to Trend Micro
- CSC module status shows un-responsive
- Internet traffic is very slow
- How do I reset the CSC password?
- How to enable the root account
- Unable to update grayware and spyware updates
- ID-Agent issues:
- Domain Controller shows up with a Red X
- Unable to find user IDs in Active Directory
Documentation
This document is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc_admin.html
Where do I download the latest code for the CSC module?
To download the latest code for the CSC module follow this link: http://tools.cisco.com/squish/E56f81
How do I re-image the CSC module?
Follow this support forum link which is very each to follow. Pay attention to every single step. https://supportforums.cisco.com/docs/DOC-1323
How to upgrade the module to a new .pkg file?
1. Download the csc-p-6.3.1172.3.pkg or the latest from here: http://tools.cisco.com/squish/518547
2. Access the Trend Micro CSC SSM console by doing the following:
- a. Launch ASDM.
- b. Choose Configuration > Trend Micro Content Security.
3. Choose Administrator > Product Upgrade from the menu.
4. Click Browse and select the .pkg file you downloaded.
5. Click Install.
6. Click Summary to confirm the installed software version.
7. Optional) Use an Eicar test file to confirm that the upgrade was
successful and that the scanning services have been configured correctly.
CSC is not scanning e-mail traffic or is sending in a lot of SPAM.
check if the e-mail traffic is being sent to the module for scanning
Issue the following command where 192.168.1.1 is an inside PC and 10.2.2.2 is an external e-mail server and make sure csc-fail-open shows up in the flow inidcating that the module is indeed scanning the e-mail traffic.
CSC-ASA# sh service-policy flow tcp host 192.168.1.1 ho 10.2.2.2 eq 25
Global policy:
Service-policy: global_policy
Class-map: csc-traffic
Match: access-list csc-acl
Access rule: permit tcp any any eq www
Action:
Output flow: csc fail-open
Class-map: class-default
Match: any
Action:
check if the Trend GUI is configured to scan inbound e-mail traffic
Under the Trend GUI >> Mail >> Scanning >> incoming - Make sure it is enabled. Check image here:
check if the e-mail header shows the Trend Micro stamp.
View All Message Headers in Outlook 2007:
E-mail message cannot be a message that was forwarded to you. Forwarding strips the e-mail headers.
The e-mail message should have been directly delivered to you or sent as an (mail item) attachment to you.
- Open the email in a new window by double-clicking it.
- Click the expansion button in the lower right corner of the Options toolbar box.
- Find the headers under Internet headers:.
View All Message Headers in Outlook 2000, 2002 and 2003:
To display all of a message's headers lines in Outlook 2000 to Outlook 2003:
- Open the message in a new window in Outlook.
- Select View | Options... from the message's menu.
The header should show the following indicating that that piece of e-mail was indeed scanned by the CSC module.
X-TM-AS-Product-Ver: CSC-0-3.6.1039-14936
X-TM-AS-Result: Yes-12.55-4.50-31-1
How to submit SPAM messages to Trend Micro
1. The spam emails should be saved as .MSG or .EML format
2. The spam sample should be the original mail, not forwarded mails since forwarded mails do not contain the original
mail contents and may contain customer related information that could lead to False Positives.
3. Original spam mail can be obtained by the following steps below:
> Create a folder
> Drag all undetected spam samples to the created folder
> Place the undetected spam samples in a zip file and password-protect it using the word "novirus" without the quotes
> Send the zip file
Here are the email addresses on where to send the samples:
Spam@support.trendmicro.com - Undetected spam sample submission mailbox
False@support.trendmicro.com - Legitimate mail tagged as spam submission mailbox
Note: Customers will not get a reply.
Please be informed that TrendMicro has a large collection of Honeypots for collecting new and emerging spam threats. Once samples are received, they are automatically sent to the automated spam processing team.
CSC module status shows un-responsive
If the module shows unresponsive for the command "show module 1 detail" you can issue one of the following commands to reboot the module.
This does not reboot the ASA.
hw-module module 1 reset
or
hw-module module 1 reload
or
hw-module module 1 shutdown and then hw-module module 1 shutdown
Internet traffic is very slow
- Check to see if you have http inspection enabled. If so, disable it and try the websites again. Issue "sh run policy-map" to see if you have http inspection enabled.
- Make sure the CSC module has proper DNS servers configured so, the module is able to get name resolution without any problem.
How do I reset the CSC password?
1. Telnet/SSH to the ASA
2. issue the command "hw-module module 1password-reset
This will reset the CSC module password to the default password which is cisco.
How to enable the root account
1. SSH/Telnet to ASA
2. Session into the Module with the command: session 1
3. Login with the username 'cisco' and the CSC password
4. Select Troubleshooting Tools and then choose Enable root account
5. Logout and Login again to 'session 1' but this time using the 'root'
account (default password is 'cisco')
Unable to update grayware and spyware updates
1. First, enable the root account on your CSC module using the steps provided above.
2. Session into the Module with the command: session 1
3. Login with the username 'root' and 'cisco' for password
4. change to the /opt/trend/isvw/tmpfs/AU/AU_Log directory, and remove
all files:
-bash-3.00# cd /opt/trend/isvw/tmpfs/AU/AU_Log
-bash-3.00# rm *
5. Change to the /opt/trend/isvw/tmpfs/AU/AU_Temp directory, and remove
all files:
-bash-3.00# cd /opt/trend/isvw/tmpfs/AU/AU_Temp
-bash-3.00# rm -rf *
6. Change to the /opt/trend/isvw/tmpfs/AU/AU_Workdir
Remove all of the files and directories except the following directories:
piranhacache
piranhaengine
piranharule
-bash-3.00# cd /opt/trend/isvw/tmpfs/AU/AU_Workdir
-bash-3.00# ll
drwxr-xr-x 2 isvw isvw 60 Aug 18 02:49 AU_Backup
drwxr-xr-x 2 isvw isvw 40 Aug 20 02:17 piranhacache
drwxr-xr-x 2 isvw isvw 40 Jul 27 2007 piranhaengine
drwxr-xr-x 2 isvw isvw 40 Aug 20 02:17 piranharule
-rw-r--r-- 1 isvw isvw 8071 Aug 17 00:00 tmblack.121
-rw-rw-r-- 1 isvw isvw 1575731 Aug 18 02:49 tmwhite.459
-rw-r--r-- 1 isvw isvw 1580567 Aug 20 02:48 tmwhite.461
-bash-3.00# rm -rf AU_Backup
-bash-3.00# rm *.*
-bash-3.00# ll
drwxr-xr-x 2 isvw isvw 40 Aug 20 02:17 piranhacache
drwxr-xr-x 2 isvw isvw 40 Jul 27 2007 piranhaengine
drwxr-xr-x 2 isvw isvw 40 Aug 20 02:17 piranharule
-bash-3.00#
7. Then, exit and then session back into the module using the cisco account and restart the services.
8. Make sure manual update works without any errors.
ID-Agent issues:
Domain Controller shows up with a Red X
Verify Domain Controller Server Credentials on the CSC module. This needs to be a domain admin equivalent account.
Verify the account is not locked.
Unable to find user IDs in Active Directory
- The machine what has the ID agent installed should be part of the windows domain
- File Sharing should be enabled on the client machine
- "Remote Registry" Service should be enabled.
- On the windows firewall, select "Windows Management Instrumentation (WMI)" as an exception program to allow in bound WMI calls. Also, make sure the "File and Printer Sharing" is part of the exception list.