Sophos corrupted signature problem - any updates?

esmith · ‎05-23-2012

We were hit by this issue with the corrupt Sophos AV signature, causing performance on the S appliances to tank. Cisco said it would be corrected by this afternoon, but it's evening now and still nothing. Anyone hearing anything new about this?

Dear Cisco Web Security Customer,

This message is for Web Security Appliance customers running releases 7.0.x or 7.1.x & using Sophos virus scanning.

The primary Cisco IronPort datacenter encountered a power event at approximately 6:30am PDT today, May 22, 2012 that caused a failover to one of our backup datacenters. We have recently received customer reports of issues relating to Sophos and performance. It has been determined that after the power event your appliance(s) may have received an outdated Sophos update that could potentially cause a data corruption that may impact the performance of your appliance. Cisco engineering teams are actively working on an update that will correct this issue and we are anticipating it being made available by early afternoon PDT tomorrow, May 23, 2012.

As a precaution Cisco IronPort recommends that until the update is available that you temporarily disable Sophos virus scanning using the following instructions:

1) Login to the Web Security Appliance via HTTP to the GUI
2) Go to Security Services -> Anti-Malware
3) Click at “Edit Global Settings”
4) Uncheck “Enable Sophos”
5) Press “Submit”
6) Commit the changes

Cisco IronPort will notify you when the update is available.

We apologize for any inconvenience.

Best Regards,
Cisco Content Security Customer Support
Support Portal: http://cisco.com/web/ironport
Toll-Free Customer Support
United States: 1-877-641-IRON (4766)
International: http://www.cisco.com/web/ironport/contacts.html#~tab-3

esmith · ‎05-23-2012

Wow - that was quick.

This is an update for Web Security Appliance customers running releases 7.0.x or 7.1.x & using Sophos virus scanning.

A Sophos IDE patch is now available that resolves this problem.

Problem Summary:

The primary Cisco IronPort datacenter encountered a core switch failure at approximately 4:30am PDT yesterday, May 22, 2012. Following this event we received customer reports of issues relating to Sophos and performance. It was determined that some customers had an outdated Sophos update that could potentially cause data corruption or impact the performance of their appliances.

Cisco Engineering was able to identify the cause of this problem and released a Sophos IDE patch at 07:20 PM PDT that fixes this problem.

How To Upgrade

Prior to upgrading, please save a copy of the configuration file somewhere other than on your appliance. This Upgrade requires you to reboot your appliance if you are running an outdated Sophos IDE.

Note: If your WSA doesn't require this patch you will not be asked to reboot. You will just need to click "Clear Upgrade" in the WebUI or exit the session in the CLI.

From the CLI:

1. Log into the command line of your Cisco IronPort Appliance as the 'admin' user

2. Type 'upgrade'

3. When asked if you are sure you would like to reboot, press 'Yes'

From WebUI:

1. Go to 'System Upgrade' in the 'System Administration' tab

2. Select 'Sophos IDE Patch Update (Reboot May Be Required)' from the list of updates.

3. After upgrade completes, click on 'Reboot Now'

Once the the IDE patch upgrade and reboot is complete, it will bring your Sophos virus definitions to factory default and will be automatically updated to latest definitions at the next scheduled update. If you do not want to wait until the next scheduled update, you can choose to update now by using the following steps:

WebUI:

1. Security Services -> Anti-Malware page and click 'Update Now' button

CLI:

1. Run 'updatenow'

If you took the precautionary step of temporarily disabling Sophos virus scanning, you should re-enable it after loading the Sophos IDE patch by using the following instructions:

1) Login to the Web Security Appliance via HTTP to the GUI

2) Go to Security Services -> Anti-Malware

3) Click at “Edit Global Settings”

4) Check “Enable Sophos”

5) Press “Submit”

6) Commit the changes

We apologize for any inconvenience this has caused.

Best Regards,

Cisco Content Security Customer Support

Support Portal:

http://cisco.com/web/ironport

Toll-Free Customer Support

United States: 1-877-641-IRON (4766)

International:

http://www.cisco.com/web/ironport/contacts.html#~tab-3

esmith · ‎05-23-2012

... and the appliance bricked with the update.

Christoph Moormann · ‎05-24-2012

Eric Smith wrote:

... and the appliance bricked with the update.

Sorry to hear that:( We just upgraded two appliances, no problems both times.

Christian Rahl · ‎05-24-2012

Please contact Ironport support at the number below.

Christian Rahl

Customer Support Engineer

Cisco IronPort - Web Security Appliances

Cisco Technical Assistance Center RTP

United States Ironport: 1-877-641-IRON (4766)

esmith · ‎05-24-2012

Thanks for the responses. We crossed our fingers and did a power cycle on it this morning, and it has come back to life. Looks like we're OK now. Couldn't do that remotely last night.

Christian Rahl · ‎05-24-2012

Ok, that is good news.

Christian Rahl