Virus Update @ Cisco IPS, Version 6.1(1)E2

Unanswered Question
Jul 18th, 2008


One of our customer has a ASA-SSM-10 IPS module on a ASA 5520. Yesterday I did an Signature Update and here is what I've found out:

Signature Definition:

Signature Update S435.0 2008-07-15

Virus Update V1.4 2007-03-02

As far as I know when you perform a signature update the virus parameters are updated as well. But the Virus Definitions date of March 2007!!! Pretty old.

I may be wrong though.

How can I update the Virus Definitions on the module? I searched the Download Software and couldn't find any update that mentioned specifically the Virus Definitions.

Thanks in advance!

Best Regards, Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
scothrel Fri, 07/18/2008 - 11:10

Dan, V 1.4 is the latest available. The virus updates were being provided from Trend via a now defunct product, Incident Control Service (Server?). The current V1.4 virus signatures are embodied in signatures in the 50001 ~ 50013 range, if I recall correctly.

Note that signatures 50000-1 through -3 are also part of the ICS range, but used for throttling and should never be enabled outside of ICS control.


aspring Sun, 10/05/2008 - 12:52

Hi Scott, I have a similar situation to Dan with an ASA-SSM-20. Do you know if we can expect regular Virus definitions to made available again in future IPS Signature updates?



rhermes Mon, 10/06/2008 - 08:00

This topic surfaces on a regular basis, so I'll quote two of the best answers from marcabal and mhellman.

Posted by: marcabal - Oct 18, 2007, 11:30am PST

That is the latest version.

The V signatures are created by Trend Micro Systems when a major virus/worm outbreak occurs and an emergency update is needed.

The V update could then be deployed through a Cisco ICS management server.

But, there has not been a major emergnecy outbreak in the past 2 years that has required a special V signature update.

Instead any signatures for virus/worms in the past 2 years have just been included as part of the standard signature update process and been included in our standard S signature levels without the need for special emergency updates.

Often the vulnerability was already detected by a standard S signature update before the virus/worm began spreading.

Posted by: mhellman - Jan 31, 2008, 12:44pm PST


aspring Mon, 10/06/2008 - 11:39


Thanks for coming back so quickly. Your response has helped clear the issue for me. It would useful if Cisco provided this information in the Signature Readme files then perhaps the AV Update version would not be raised so often on the Forum




This Discussion