cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1821
Views
0
Helpful
5
Replies

Check your SBRS Scores after upgrading to 8.5.6-092!

Rick Donovan
Level 1
Level 1

I upgraded my ESA from 8.5.6-073 to 8.5.6-092 on the 26th September.

Today I noticed a lot of malicious e-mails coming through our IronPort and when I checked the message tracking logs I saw the message:

SBRS Score: unable to retrieve

 

Phoned support and they told me to run a 'repengstatus' command to see when the last update for the repuation engine was. My last update was on the 26th September... coincidence?

I ran a 'repengupdate force' command which forced the update (wait around 10 minutes) and now the engine has been updated; e-mails now have SBRS scores.

 

There are two reasons why I made this discussion post:

 

1. If you ran an upgrade to 8.5.6-092, please check that your SBRS scores and rep engine is being updated because your IronPort could be letting a lot of spam/malicious e-mails through.

 

2. To support - why did this happen? I'm thinking the upgrade caused the issue because I updated on 26th and last update of rep engine was on the 26th but this could just be a coincidence (I've never experienced SBRS score failures).

5 Replies 5

Hello, we had this problem two times recently: when upgrading to 7.6.3 and now when upgrading to 8.0.1. It doesn't happen on all our appliances, but some of them...

I'm a bit worried by this, especially as 'repengupdate force' is not supposed to be run without formal request from the support (which they did each time, but...).

Philippe

I just want to update this thread with the following info I got from the engineer - basically it's a bug in the update process and running repengupdate force fixes it - I wouldn't worry about running these commands as all it does it force update the engines.

 

It was only that with the upgrade of the AsyncOS, the reputation engine stopped working correct.

the newest updates have been downloaded, but was not applied correctly, because of the inconsistent reputation engine. with the forced update, the Appliance has downloaded the complete newest engine and also the newest rules and with the final restart of the feature after the forced update, it started working again.

 

So the "repengupdate force" has solved the issue that was caused because of the previous reason.

This was a defect covered in the 8.5.6-093 release:

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_HP1_Release_Notes.pdf

So, if running the -074 revision... found defect:

https://tools.cisco.com/bugsearch/bug/CSCuq49620

I wouldn't say that running repengupdate force is not suppose to be done, aside from a formal request... is odd to see or hear that would have been mentioned.  With the force updates for any of the processes on the ESA, this is usually always a good troubleshooting step for any customer --- as the process will instantly call out to the updater servers, compare manifests, and then pull regardless of what is running the latest engine and rules sets for the process... and then silently implement in the background.  While for the customers who might have bandwidth limiting options running on their network, the only major side effect is the package size that is coming across... since the engine is tagged into the rules... 

But, normally with antivirus and antispam - this is the most helpful to run antivirusupdate force or antispamupdate ironport force.  Especially in times where the update process itself may have been interrupted with a network related hiccup or staled out download.

-Robert

Robert,

I am facing the same issue as Rick. This has become a risk now as I have to update the reputation engine regularly, otherwise spam emails will barge in. Moreover, we have settings to throttle emails from SBRS "None" sources which apparently will be the case for all messages whenever there is this problem. The last Cisco engineer had asked us to upgrade to 8.5.6 which we did, but the problem still persists.

Our appliances are currently in 8.5.6-092 version. As per your note the release 8.5.6-093 would solve this issue, but I don't see this release available for upgrade. Coudl Cisco tech push the update to the boxes?

Thanks,

Chandan

We just updated to 8.5.6-106 on the weekend and are seeing this issue on a couple of our machines.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: