Overview After a recent change to the certificate authority used to sign the certificate on tools.cisco.com, multiple system that rely on that server may fail to trust the certificate presented. This may manifest in many ways depending on the product or feature leveraging tools.cisco.com. Commonly, Smart Licensing registration or Smart Call Home may fail to connect and operate as expected. Refer to the products/services outline below for information on how to work around this certificate change.   The Certificate Authority that signed the certificate has changed to QuoVadis Root CA 2 and that CA certificate is available here:   -----BEGIN CERTIFICATE----- MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp +ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1 ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og /zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2 A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y 4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza 8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u -----END CERTIFICATE-----   FXOS based systems (Firepower 4100 and Firepower 9300 systems) Affected functions/features: Smart Licensing  Cisco Bug ID: CSCvm81014 Symptoms: Smart licensing may fail to register (as seen in chassis manager) indicating that there was a failure when trying to authenticate the server. Specifically the failure reason will state: "Failed to authenticate server" The output of show license all may look like the following: 4100CHASSIS # show license all Smart Licensing Status ====================== Smart Licensing is ENABLED Registration: Status: REGISTERING - REGISTRATION IN PROGRESS Export-Controlled Functionality: Not Allowed Initial Registration: FAILED on Oct 09 18:03:27 2018 UTC Failure reason: Failed to authenticate server Next Registration Attempt: Oct 09 18:18:39 2018 UTC   Workaround: For the FXOS based platforms, adding the certificate to the chassis's trust store will allow the Smart Licensing Agent to validate the certificate from the cisco.com server. This is done via the CLI by SSH'ing to the chassis and changing into the security scope, adding a trustpoint, and then executing commit-buffer. Example: 4100CHASSIS # 4100CHASSIS # scope security 4100CHASSIS /security # create trustpoint QuoVadisRootCA2 4100CHASSIS /security/trustpoint* # set certchain Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort. Trustpoint Certificate Chain: > At this point. Paste certificate listed above, including all of the leading and ending hyphens. Once pasted in, enter ENDOFBUF and hit Enter. Save the change with the command commit-buffer. > >ENDOFBUF 4100CHASSIS /security/trustpoint* # commit-buffer 4100CHASSIS /security/trustpoint # end 4100CHASSIS # When the Smart Licensing system re-attempts connection to the service, it should succeed.     ASA Software on multiple platforms Affected functions/features:   Smart Licensing, Smart Call Home Cisco Bug ID: CSCvm80874 Symptoms: Smart Licensing may fail to register (as seen in chassis manager) indicating that there was a failure when trying to communicate with the service. In addition Smart Call Home functionality may also be impacted. The output of the command show license registration will indicate an error:  ASAv# show license registration Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Last Retry Start Time: Mar 22 13:26:32 2016 UTC. Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC. Number of Retries: 1. Last License Server response time: Mar 22 13:26:32 2016 UTC. Last License Server response message: Communication message send response error     Workaround: To allow the ASA to trust the new certificate, you can manually import it into the ASA's certificate trust store. For example:  ASA# config t ASA(config)# crypto ca trustpoint QuoVadisRootCA2 ASA(config-ca-trustpoint)# enrollment terminal ASA(config-ca-trustpoint)# crl configure ASA(config-ca-crl)# crypto ca authenticate QuoVadisRootCA2 Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself <<PASTE IN THE CERTIFICATE FROM ABOVE, INCLUDING STARTING AND ENDING -'S >> quit INFO: Certificate has the following attributes: Fingerprint: 5e397bdd f8baec82 e9ac62ba 0c54002b Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported   On Version 9.5(2) and later, the ASAv platform has the trustpool configured to auto-import at 10:00 PM device local time: ASAv# sh run crypto ca trustpool crypto ca trustpool policy auto-import ASAv# sh run all crypto ca trustpool crypto ca trustpool policy revocation-check none crl cache-time 60 crl enforcenextupdate auto-import auto-import url http://www.cisco.com/security/pki/trs/ios_core.p7b auto-import time 22:00:00    In addition, you can immediately update the local trust store with the following command line (Thanks to @Taisuke Nakamura): ASA# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b  Note: This command is also available on ASA version 9.5(1) and earlier, which does not support auto-import feature. This command is not supported on multiple context mode.   The below is example output of latest trustpool import before new smart license registration. ASA# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b Root file signature verified. Trustpool import: attempted: 10 installed: 10 duplicates: 0 expired: 0 failed: 0 ASA#      Issues with FIPS enabled on the ASA platform If FIPS is enabled on the ASA, the certificate listed above may be rejected for not conforming to the signature cryptographic requirements. The QuoVadis Certificate has Signature Algorithm: sha1WithRSAEncryption. You will be shown an error upon import similar to the following:   Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate is not FIPS compliant. % Error in saving certificate: status = FAIL   As a workaround, you may import the intermediate certificate for tools.cisco.com which is the HydrantID SSL ICA G2 certificate. This certificate has Signature Algorithm: sha256WithRSAEncryption   Certificate chain for tools.cisco.com: > openssl s_client -connect tools.cisco.com:443 Certificate chain 0 s:/C=US/ST=CA/L=San Jose/O=Cisco Systems, Inc./CN=tools.cisco.com i:/C=US/O=HydrantID (Avalanche Cloud Corporation)/CN=HydrantID SSL ICA G2 1 s:/C=US/O=HydrantID (Avalanche Cloud Corporation)/CN=HydrantID SSL ICA G2 i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 The HydrantID SSL ICA G2 certificate is available here and can be imported in a similar manner:   -----BEGIN CERTIFICATE----- MIIGxDCCBKygAwIBAgIUdRcWd4PQQ361VsNXlG5FY7jr06wwDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ BgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0xMzEyMTcxNDI1MTBaFw0yMzEy MTcxNDI1MTBaMF4xCzAJBgNVBAYTAlVTMTAwLgYDVQQKEydIeWRyYW50SUQgKEF2 YWxhbmNoZSBDbG91ZCBDb3Jwb3JhdGlvbikxHTAbBgNVBAMTFEh5ZHJhbnRJRCBT U0wgSUNBIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9p1ZOA9+ H+tgdln+STF7bdOxvnOERYyjo8ZbKumzigNePSwbQYVWuso76GI843yjaX2rhn0+ Jt0NVJM41jVctf9qwacVduR7CEi0qJgpAUJyZUuB9IpFWF1Kz14O3Leh6URuRZ43 RzHaRmNtzkxttGBuOtAg+ilOuwiGAo9VQLgdONlqQFcrbp97/fO8ZIqiPrbhLxCZ fXkYi3mktZVRFKXG62FHAuH1sLDXCKba3avDcUR7ykG4ZXcmp6kl14UKa8JHOHPE NYyr0R6oHELOGZMox1nQcFwuYMX9sJdAUU/9SQVXyA6u6YtxlpZiC8qhXM1IE00T Q9+q5ppffSUDMC4V/5If5A6snKVP78M8qd/RMVswcjMUMEnov+wykwCbDLD+IReM A57XX+HojN+8XFTL9Jwge3z3ZlMwL7E54W3cI7f6cxO5DVwoKxkdk2jRIg37oqSl SU3z/bA9UXjHcTl/6BoLho2p9rWm6oljANPeQuLHyGJ3hc19N8nDo2IATp70klGP kd1qhIgrdkki7gBpanMOK98hKMpdQgs+NY4DkaMJqfrHzWR/CYkdyUCivFaepaFS K78+jVu1oCMOFOnucPXL2fQa3VQn+69+7mA324frjwZj9NzrHjd0a5UP7waPpd9W 2jZoj4b+g+l+XU1SQ+9DWiuZtvfDW++k0BMCAwEAAaOCAZEwggGNMBIGA1UdEwEB /wQIMAYBAf8CAQAweAYDVR0gBHEwbzAIBgZngQwBAgEwCAYGZ4EMAQICMA4GDCsG AQQBvlgAAmQBAjBJBgwrBgEEAb5YAAOHBAAwOTA3BggrBgEFBQcCARYraHR0cDov L3d3dy5oeWRyYW50aWQuY29tL3N1cHBvcnQvcmVwb3NpdG9yeTByBggrBgEFBQcB AQRmMGQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNv bTA2BggrBgEFBQcwAoYqaHR0cDovL3RydXN0LnF1b3ZhZGlzZ2xvYmFsLmNvbS9x dnJjYTIuY3J0MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBQahGK8SEwzJQTU 7tD2A8QZRtGUazA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnF1b3ZhZGlz Z2xvYmFsLmNvbS9xdnJjYTIuY3JsMB0GA1UdDgQWBBSYarYtLr+nqp/299YJr9WL V/mKtzANBgkqhkiG9w0BAQsFAAOCAgEAlraik8EDDUkpAnIOajO9/r4dpj/Zry76 6SH1oYPo7eTGzpDanPMeGMuSmwdjUkFUPALuWwkaDERfz9xdyFL3N8CRg9mQhdtT 3aWQUv/iyXULXT87EgL3b8zzf8fhTS7r654m9WM2W7pFqfimx9qAlFe9XcVlZrUu 9hph+/MfWMrUju+VPL5U7hZvUpg66mS3BaN15rsXv2+Vw6kQsQC/82iJLHvtYVL/ LwbNio18CsinDeyRE0J9wlYDqzcg5rhD0rtX4JEmBzq8yBRvHIB/023o/vIO5oxh 83Hic/2Xgwksf1DKS3/z5nTzhsUIpCpwkN6nHp6gmA8JBXoUlKQz4eYHJCq/ZyC+ BuY2vHpNx6101J5dmy7ps7J7d6mZXzguP3DQN84hjtfwJPqdf+/9RgLriXeFTqwe snxbk2FsPhwxhiNOH98GSZVvG02v10uHLVaf9B+puYpoUiEqgm1WG5mWW1PxHstu Ew9jBMcJ6wjQc8He9rSUmrhBr0HyhckdC99RgEvpcZpV2XL4nPPrTI2ki/c9xQb9 kmhVGonSXy5aP+hDC+Ht+bxmc4wN5x+vB02hak8Hh8jIUStRxOsRfJozU0R9ysyP EZAHFZ3Zivg2BaD4tOISO8/T2FDjG7PNUv0tgPAOKw2t94B+1evrSUhqJDU0Wf9c 9vkaKoPvX4w= -----END CERTIFICATE-----   ... View more

Show Name: Finding Your Firepower Contributors: Kevin Klous, Ben Ritter, Jay Johnston, Magnus Mortensen Posting Date:  September 12, 2016 Description: The podcast team dive into Firepower technologies and deployment strategies for some of the Firepower Product line as well as the new ASA/Firepower merged product, Firepower Threat Defense Listen Now    (MP3 59.2 MB; 64:39 mins)  Subscribe to the Podcast in iTunes by clicking the image below: Show Notes Management Platforms: https://www.cisco.com/c/en/us/products/security/firesight-management-center/index.html Sensors: Firepower 7000 and 8000 series sensors Cisco FirePOWER 7000 Series Appliances https://www.cisco.com/c/en/us/products/security/firepower-7000-series-appliances/index.html Cisco FirePOWER 8000 Series Appliances https://www.cisco.com/c/en/us/products/security/firepower-8000-series-appliances/index.html ASA with FirePOWER Services (SFR Module) https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html New Firepower 4100 and 9300 chassis Cisco Firepower 4100 Series https://www.cisco.com/c/en/us/products/security/firepower-4100-series/index.html Cisco Firepower 9300 Security Appliance https://www.cisco.com/c/en/us/support/security/firepower-9300-security-appliance/model.html Firepower Threat Defense (FTD) FTD on the ASA https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-55xx-X-qsg.html#pgfId-172315 FTD on the 9300 https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp9300/ftd-9300-qsg.html#pgfId-155318 FTD on the 4100 https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp4100/ftd-4100-qsg.html Other Items Referenced Cisco CLI Analyzer https://cway.cisco.com/go/sa/ Release Notes: Cisco FXOS Release Notes, 2.0(1) https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/release/notes/fxos201_rn.html Cisco FXOS Firepower Chassis Manager Configuration Guide, 2.0(1) https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201.html ... View more

  Issue: A change made to the update servers hosted by TrendMicro has required that all CSC modules be upgraded to support SHA-2.    Issue: A Microsoft(TM) policy released in 2013 no longer allows CA to issue SHA-1 certificates starting January 1, 2016. When this happens, CSC can no longer update patterns and engines successfully through ActiveUpdate (AU) because these updates require SHA-2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix upgrades the AU module to enable CSC to use SHA-2 instead of SHA-1 to prepare for this change. This issue is fixed for both the 6.6.1125.x code train as well as the 6.6.1164.x code train. The patches below will bring your module up to patch version x.1169. Choose the appropriate patch based on the code version you have now (6.6.1125.x versus 6.6.1164.x) 6.6.1125.x patch (brings module to version 6.6.1125.1169) zip file password is 'novirus': https://box-us-file.trendmicro-cloud.com/SFDC/external_shared/7e78e63321363ef9f2661356c4c76310.php 6.6.1164.x patch (brings module to version 6.6.1164.1169) https://box-us-file.trendmicro-cloud.com/SFDC/external_shared/ec22a5773d5b4e231de1b1204637724b.php What to do if you have trouble with the patch If you run into an issue while deploying the patch, please open a case with Cisco TAC for further assistance @ www.cisco.com/go/tac   ... View more

For CSC Module version 6.6.1125.0, the latest HOTFIX is patch 1157. This brings a module up-to version 6.6.1125.0.1157 from any version of 6.6.1125.x. You can obtain the patch (csc_66_en_hfb1157.pkg) here: https://dc1.safesync.com/LMcmmxjs/CSC-SSM/?a=-rAIk-XpkvI   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) InterScan(TM) for Cisco Content Security and Control Security Services Module (CSC-SSM) 6.6 Hot Fix - Build 1157 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This hot fix was developed as a workaround or solution to a customer-reported problem. As such, this hot fix has received limited testing and has not been certified as an official product update. Consequently, THIS HOT FIX IS PROVIDED "AS IS." TREND MICRO MAKES NO WARRANTY OR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS HOT FIX NOR DOES IT WARRANT THAT THIS HOT FIX IS ERROR FREE. TO THE FULLEST EXTENT PERMITTED BY LAW, TREND MICRO DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Contents =================================================================== 1. Hot Fix Release Information 1.1 Issues 1.2 Enhancements 1.3 Files Included in this Release 2. Documentation Set 3. System Requirements 4. Installation/Uninstallation 4.1 Installation 4.2 Uninstallation 5. Post-installation Configuration 6. Known Issues 7. Release History 8. Contact Information 9. About Trend Micro 10. License Agreement =================================================================== 1. Hot Fix Release Information ====================================================================== 1.1 Issues =================================================================== This hot fix resolves the following issue: Issue: If there is heavy network traffic or if FTP connections close unexpectedly while the FTP daemon receives data, it does not time out and thus, does not purge old temporary files. These files use up disk space. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix adds a timeout setting to the FTP daemon so that if it encounters heavy network traffic or if the FTP connections close unexpectedly while it is receiving data, the process times out and triggers the daemon to purge old temporary files. 1.2 Enhancements =================================================================== There are no enhancements for this hot fix. 1.3 Files Included in this Release =================================================================== A. Files for Current Issue ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- factory_default.tgz 1125 migrate.conf 1125 File for Issue ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- isftpd 1157 B. Files for Previous Issues ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- iwss-process 1148 httpsd 1134 libtmmsg.so 1128 issyslog 1129 issyslog.exe 1129 TmSmbGui.jar 1131 libisvwlib.so 1131 libhttpproxy.so 1135 IWSSPIScanVsapi.so 1133 setup.bin 1135 AuPatch 1140 libpatch.so 1140 libtmactupdate.so 1140 libciuas32.so 1140 cert5.db 1140 x500.db 1140 stargate_patch_apply.sh 1144 S01init_ISVW 1146 scheduled 1145 libtmau.so 1145 libhttpproxy.so 1148 httpsd 1155 2. Documentation Set ====================================================================== In addition to this readme.txt, the documentation set for this product includes the following: o Readme.txt -- basic installation, known issues, release history, and contact information o Installation Guide (IG) -- Provides product overview, deployment plan, installation steps and basic information intended to help you deploy InterScan for Cisco CSC SSM smoothly. o Administrator's Guide (AG) -- Provides post-installation instructions on how to configure the settings to help you get InterScan for Cisco CSC SSM "up and running." Also includes instructions on performing other administrative tasks for the day-to-day maintenance of InterScan for Cisco CSC SSM. o Online Help -- Context-sensitive help screens that provide guidance for performing a task. 3. System Requirements ====================================================================== Install this hot fix only on computers that meet the following requirements: - Platform: CSC SSM 10 or CSC SSM 20 - CSC Version: 6.6.1125.0. 4. Installation/Uninstallation ====================================================================== 4.1 Installation =================================================================== To install this hot fix: 1. Ensure that scheduled updates are disabled. 2. Log on to the CSC web console. 3. Click "Administration > Product Upgrade". 4. Select the hot fix package and upload it to the appliance. 5. After a few minutes, verify that the hot fix package has been uploaded to CSC. 6. Enable scheduled updates if you have disabled these in step 1. 4.2 Uninstallation =================================================================== To roll back to the previous build: 1. Log on to the CSC web console. 2. Click "Administration > Product Upgrade". 3. Under "Update number", click the name of the device you want to view. A summary screen appears showing the updates and related log information. 4. Click "Uninstall" to remove an update. 5. Post-installation Configuration ====================================================================== No post-installation steps are required. Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing this hot fix. 6. Known Issues ====================================================================== There are no known issues for this hot fix release. 7. Release History ====================================================================== InterScan for Cisco CSC SSM 6.6.1125.0, July 1, 2011 7.1 Prior Hot Fixes =================================================================== Note: Only the new hot fix was tested for this release. Prior hot fixes were tested at the time of their release. Hot Fix 1128 Issue: InterScan slightly modifies the "Received" email header after the CSC POP3 scans email messages. This issue causes the time format of the email messages to violate RFC 5322. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix resolves this issue. Hot Fix 1129 Issue: CSC may stop transferring violation events to Cisco ASDM preventing the "Cisco ASDM Content Security" tab from showing violation events. This issue occurs because the CSC syslog adaptor module runs into a dead loop when it attempts to handle URLs that exceed 1024 bytes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix resolves this issue. Hot Fix 1131 Issue 1: When users make changes in the DNS setting on the CSC web console, the new setting does not take effect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hot fix enables the web console to restart automatically after users make changes to the DNS setting on the CSC web console. This ensures that the new setting takes effect immediately. Issue 2: For the SMTP content filter feature, the previous file type setting in the background configuration file could not be cleared correctly. This can cause CSC to block a file type other than the one specified in the configuration file on the web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hot fix resolves this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 2: To correct the previous SMTP content filter background configuration file: a. Log on to the CSC web console. b. Make and save the necessary changes to the content filter setting in the "Mail(SMTP) > Content-Filter > Filter attachments of following file types" field. This step enables the fix to take effect. After performing this step, any changes you make on the content filter setting will take effect immediately. Hot Fix 1132 Issue: When users access some HTTPS sites, the browser freezes for one to two minutes or displays browser/SSL errors if the HTTPS server closes the connection before the client downloads all the data. This issue occurs because the CSC-SSM does not properly close the connection with the client. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix resolves this issue by allowing CSC-SSM to properly close the connection with the client when the server closes the connection with CSC-SSM. Hot Fix 1133 Issue 1: The iwss process may cause the CSC module to stop unexpectedly. This issue can occur when the VSAPI module sends out a large number of nesting call statements which can lead to useless memory allocation and eventually cause the system to run out the memory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hot fix enables the VSAPI module to use simple character strings instead of the String class to reduce the unnecessary memory allocation. This resolves the issue. Issue 2: The URL filtering and URL blocking functions of the HTTPS module may stop working 30 minutes after starting. This issue occurs because the httpsd process encounters a data corruption issue which can cause it to stop unexpectedly and may trigger a core dump issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hot fix prevents the core dump issue in the httpsd process to ensure that both the HTTPS URL filtering and URL blocking functions work properly. Issue 3: The VSAPI module requires CSC to change the "Accept-Encoding" header of an HTTP request from "gzip/deflate" to "Identity" which is the default value, before sending the HTTP request to the server. However, the actual encoding of the PDF file is "gzip". This mismatch can prevent Microsoft(TM) Internet Explorer(TM) 8 from downloading the file. This issue does not affect Mozilla(R) Firefox(R). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hot fix prevents CSC from changing the "Accept-Encoding" header of HTTP requests in clients that use Internet Explorer. Hot Fix 1134 Issue: The CSC module stops unexpectedly because of a null pointer in the commonUID module. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix prevents the commonUID module from calling the null pointer. Hot Fix 1135 Issue 1: When accessing a web site through CSC and the size of the header of the HTTP response exceeds 16 KB, the client will not be able to display the web page properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hot fix increases the HTTP receiver buffer to enable CSC to process HTTP responses with headers that are larger than 16 KB. Issue 2: A related process can use up 100% of CPU resources while "setup.bin" runs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hot fix optimizes the handling method for terminated signals to ensure that it can efficiently handle terminated signals and that the affected process can close successfully. Hot Fix 1140 Issue: The ActiveUpdate module for Stargate supports "root signed" certificates only. However, "root signed" certificates will expire by March 2015. By that time, every SSL server certificate must be issued by an intermediate CA. Since the ActiveUpdate module does not support intermediate CA certificates, all ActiveUpdate updates will eventually fail. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix updates the ActiveUpdate module to enable CSC to support intermediate CA certificates. Hot Fix 1144 Issue: Updates may not complete because there is not enough disk space in "/opt/trend/isvw/lib/mail" and ActiveUpdate uses this folder for updates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix transfers the ActiveUpdate folder to another location to ensure that it has enough disk space to perform updates successfully. Hot Fix 1145 Issue: Sometimes, a copy file error appears after a successful antispam pattern update. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix prevents the copy file error from appearing after a successful antispam pattern update. Hot Fix 1146 Issue: Sometimes, Virus Scan Engine updates fail because the backup file is missing. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix creates the missing backup file in affected computers to ensure that the Virus Scan Engine can be updated successfully. Hot Fix 1147 Issue: Sometimes, CSC cannot decode URLs that contain special characters because it cannot parse these URLs correctly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix enables CSC to parse URLs with special characters to ensure that it can successfully decode these URLs. Hot Fix 1148 Issue: When users access a web site through CSC, the client may not be able to display the web page properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix enables clients to display web pages properly. Hot Fix 1155 Issue: An array overflow issue triggers the iwss process to stop unexpectedly and generate core dump files while parsing certain URLs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hot fix resolves the issue so users can access the affected web sites normally. 8. Contact Information ====================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our web site. Global Mailing Address/Telephone numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 9. About Trend Micro ====================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2014, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, Smart Protection Network, and InterScan are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 10. License Agreement ====================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide ... View more