How often ARE those IPS virus signatures updated?

Unanswered Question
Jul 5th, 2006
User Badges:
  • Gold, 750 points or more

I was looking at a "show version" on one of my current sensors and noticed that the last virus signature was over 7 months ago. Now, one of the big reasons I was told we had to pay for our 5.x licenses was these virus signatures. If that's true, and this is the additional value Trend Micro has brought to our sensors, should they get updated a little more frequently?

(from my sensor)

Cisco Intrusion Prevention System, Version 5.1(1p1)S235.0


Realm Keys key1.0

Signature Definition:

Signature Update S235.0 2006-06-22

Virus Update V1.2 2005-11-24

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
marcabal Wed, 07/05/2006 - 18:35
User Badges:
  • Cisco Employee,

The Virus Signature from Trend was one reason for the licensing in 5.x, but was not the only reason and was not even the primary reason.

Even as far back as version 2.x a Support Contract was required for downloading and installation of signature updates. But was not enforced by the software. We relied on the users keeping the support contracts up to date on their own. Many users downloaded and installed signature updates without paying for the support contract. And the vast majority did not realize that a support contract was needed to receive the signature updates.

With the lack of support contract purchases it became difficult to continue fielding a team for writing IPS signature updates.

So in version 5.x it was decided to begin enforcing the purchase of support contracts through the use of Signature Update Licenses as part of the Cisco Service for IPS Contracts. Thus ensuring funding for the signature team, and allowing the team to spread out world wide for 24 hour coverage.

The additional cost of a Cisco Service for IPS contract when compared to standard SmartNET contracts for other Cisco products is for the specific funding of the Cisco signature team, and a small amount sent to Trend for assistance in signature creation. Only a small portion of the support contract is paid to Trend Micro for their support.

The Virus signatures are part of the Cisco Incident Control System (Cisco ICS). With the purchase of ICS there is a faster deployment of signature for Virus/Worms. When a virus or worm reaches a critical level then TrendMicro can create their own Virus signatures and have Cisco ICS deploy those signature to the sensors as soon as they are written.

Cisco then includes these Virus signatures in a later standard Cisco signature update.

Now as for why there have not been any recent updates to the Virus Signatures is that there has not been a major out break in the past 6/7 months. The virus signatures are only created on an emergency basis when a virus or worm reaches a critical level. Cisco ICS was specifically designed for handling virus and worm outbreaks, and is referred to as Outbreak Prevention.

If the virus/worm does not reach a critical level, then the emergency Virus signatures are not created.

Instead the Cisco signature team will take care of them as part of the standard Cisco signatures that are included as part of the standard S updates.

This doesn't mean that we are not receiving information from Trend. For Virus/Worms that do not reach that critical level, the Trend team will instead send information to Cisco for creation of standard Cisco signatures by the Cisco signature team. This way the Cisco team can create a mroe general signature designed to catch all attacks for a certain vulnerability that will catch that specific virus/worm as well as future virus/worms that may also attempt to exploit the same vulnerability. These signatures wind up as part of the standard S update. This method is used because the Cisco signature team has more in depth knowledge of the various engines in Cisco IPS and can often write signatures that the Trend engineers would not be able to.

It is only when the Trend Micro engineers need to create an emergency update that they will create their V signatures for the specific virus/worm.

Otherwise they share share the information with Cisco and the Cisco engineers creates the signature.

zhichao Thu, 07/13/2006 - 23:52
User Badges:

Thanks for the info.

The ICS we have installed has been quiet for 2/3 months without any new signature downloaded. We are actually wondering how to prove TrendMicro is really working on ICS.....


This Discussion