- Blue, 1500 points or more
In some fairly recent signature upgrade(es), Cisco retired hundreds of signatures. Which sig update retired these signatures? Is there a list of them somewhere?
There are 2 sets of configuration on the system:
1) default configuration - which is updated by the signature update
2) user tunings - "sig0" - which overrides what is in the default configuration
If a configuration option is included in both the default and in "sig0", then whatever is in "sig0" is what will take effect.
(NOTE: To see what is in "sig0" just run "show conf")
If a signature is "retired true" in default, then the user can modify the signature to "retired false" in "sig0" in order to active/unretire it.
Once the user puts in "retired false" then it will always be "unretired" regardless of what Cisco puts in the default configuration.
You can even prevent future retiring of signatures.
If a signature is currently "retired false" and is active, you can still go ahead and add "retired false" into "sig0". The configuration in "sig0" and the default both list the signature as "retired false".
BUT if later on Cisco changes the signature to "retired true" you will still have "retired false" in "sig0", and your "retired false" will cause the signature to still remain active.
This way you can force a signature to always be active regardless of what a later signature update does.
As for your question of "Won't they be retired after every signature update?"
The answer is NO.
The default will contain "retired true", but if you put "retired false" into "sig0", then it will override the "retired true" in the current default as well as any new defaults from new signature updates.