Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA: CSC Module - Common problems

[toc:faq]

Documentation


This document is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc_admin.html

Where do I download the latest code for the CSC module?

To download the latest code for the CSC module follow this link: http://tools.cisco.com/squish/E56f81

How do I re-image the CSC module?

Follow this support forum link which is very each to follow. Pay attention to every single step. https://supportforums.cisco.com/docs/DOC-1323

How to upgrade the module to a new .pkg file?

1.  Download the csc-p-6.3.1172.3.pkg or the latest from here: http://tools.cisco.com/squish/518547

2.  Access the Trend Micro CSC SSM console by doing the following:

  • a.  Launch ASDM.
  • b.  Choose Configuration > Trend Micro Content Security.

3.  Choose Administrator > Product Upgrade from the menu.

4.  Click Browse and select the .pkg file you downloaded.

5.  Click Install.

6.  Click Summary to confirm the installed software version.

7.  Optional) Use an Eicar test file to confirm that the upgrade was
successful and that the scanning services have been configured correctly.

CSC is not scanning e-mail traffic or is sending in a lot of SPAM.

check if the e-mail traffic is being sent to the module for scanning

Issue the following command where 192.168.1.1 is an inside PC and 10.2.2.2 is an external e-mail server and make sure csc-fail-open shows up in the flow inidcating that the module is indeed scanning the e-mail traffic.

CSC-ASA# sh service-policy flow tcp host 192.168.1.1 ho 10.2.2.2 eq 25

Global policy:
  Service-policy: global_policy
    Class-map: csc-traffic
      Match: access-list csc-acl
        Access rule: permit tcp any any eq www
      Action:
        Output flow:  csc fail-open
    Class-map: class-default
      Match: any
      Action:

check if the Trend GUI is configured to scan inbound e-mail traffic

Under the Trend GUI >> Mail >> Scanning >> incoming - Make sure it is enabled. Check image here:csc-email-scan.jpg

check if the e-mail header shows the Trend Micro stamp.

View All Message Headers in Outlook 2007:

E-mail message cannot be a message that was forwarded to you.  Forwarding strips the e-mail headers.

The e-mail message should have been directly delivered to you or sent as an (mail item) attachment to you.

  • Open the email in a new window by double-clicking it.
  • Click the expansion button in the lower right corner of the Options toolbar box.

  • Find the headers under Internet headers:.

View All Message Headers in Outlook 2000, 2002 and 2003:

To display all of a message's headers lines in Outlook 2000 to Outlook 2003:

  • Open the message in a new window in Outlook.
  • Select View | Options... from the message's menu.

The header should show the following indicating that that piece of e-mail was indeed scanned by the CSC module.

X-TM-AS-Product-Ver: CSC-0-3.6.1039-14936
X-TM-AS-Result: Yes-12.55-4.50-31-1

How to submit SPAM messages to Trend Micro

1. The spam emails should be saved as .MSG or .EML format
2. The spam sample should be the original mail, not forwarded mails since forwarded mails do not contain the original
    mail contents and may contain customer related information that could lead to False Positives.
3. Original spam mail can be obtained by the following steps below:
    > Create a folder
    > Drag all undetected spam samples to the created folder
    > Place the undetected spam samples in a zip file and password-protect it using the word "novirus" without the quotes
    > Send the zip file

Here are the email addresses on where to send the samples:

Spam@support.trendmicro.com  - Undetected spam sample submission mailbox

False@support.trendmicro.com - Legitimate mail tagged as spam submission mailbox

Note:  Customers will not get a reply.

Please be informed that TrendMicro has a large collection of Honeypots for collecting new and emerging spam threats. Once samples are received, they are automatically sent to the automated spam processing team.

CSC module status shows un-responsive

If the module shows unresponsive for the command "show module 1 detail" you can issue one of the following commands to reboot the module.

This does not reboot the ASA.

hw-module module 1 reset

or

hw-module module 1 reload

or

hw-module module 1 shutdown and then hw-module module 1 shutdown

Internet traffic is very slow

  • Check  to see if you have http inspection enabled. If so, disable it and try  the websites again. Issue "sh run policy-map" to see if you have http  inspection enabled.
  • Make sure the CSC module has proper DNS servers configured so, the module is able to get name resolution without any problem.

How do I reset the CSC password?

1. Telnet/SSH to the ASA

2. issue the command "hw-module module 1password-reset

This will reset the CSC module password to the default password which is cisco.

How to enable the root account

1. SSH/Telnet to ASA

2. Session into the Module with the command: session 1

3. Login with the username 'cisco' and the CSC password

4. Select Troubleshooting Tools and then choose Enable root account

5. Logout and Login again to 'session 1' but this time using the 'root'

account (default password is 'cisco')

Unable to update grayware and spyware updates

1. First, enable the root account on your CSC module using the steps provided above.

2. Session into the Module with the command: session 1

3. Login with the username 'root' and 'cisco' for password

4. change to the /opt/trend/isvw/tmpfs/AU/AU_Log directory, and remove
all files:
-bash-3.00# cd /opt/trend/isvw/tmpfs/AU/AU_Log
-bash-3.00# rm *

5. Change to the /opt/trend/isvw/tmpfs/AU/AU_Temp directory, and remove
all files:

-bash-3.00# cd /opt/trend/isvw/tmpfs/AU/AU_Temp
-bash-3.00# rm -rf *

6. Change to the /opt/trend/isvw/tmpfs/AU/AU_Workdir
Remove all of the files and directories except the following directories:

   piranhacache
   piranhaengine
   piranharule

-bash-3.00# cd /opt/trend/isvw/tmpfs/AU/AU_Workdir
-bash-3.00# ll
drwxr-xr-x    2 isvw     isvw           60 Aug 18 02:49 AU_Backup
drwxr-xr-x    2 isvw     isvw           40 Aug 20 02:17 piranhacache
drwxr-xr-x    2 isvw     isvw           40 Jul 27  2007 piranhaengine
drwxr-xr-x    2 isvw     isvw           40 Aug 20 02:17 piranharule
-rw-r--r--    1 isvw     isvw         8071 Aug 17 00:00 tmblack.121
-rw-rw-r--    1 isvw     isvw      1575731 Aug 18 02:49 tmwhite.459
-rw-r--r--    1 isvw     isvw      1580567 Aug 20 02:48 tmwhite.461

-bash-3.00# rm -rf AU_Backup
-bash-3.00# rm *.*
-bash-3.00# ll
drwxr-xr-x    2 isvw     isvw           40 Aug 20 02:17 piranhacache
drwxr-xr-x    2 isvw     isvw           40 Jul 27  2007 piranhaengine
drwxr-xr-x    2 isvw     isvw           40 Aug 20 02:17 piranharule
-bash-3.00#

7. Then, exit and then session back into the module using the cisco account and restart the services.

8. Make sure manual update works without any errors.

ID-Agent issues:


Domain Controller shows up with a Red X

Verify Domain Controller Server Credentials on the CSC module. This needs to be a domain admin equivalent account.

Verify the account is not locked.


Unable to find user IDs in Active Directory

  1. The machine what has the ID agent installed should be part of the windows domain
  2. File Sharing should be enabled on the client machine
  3. "Remote Registry" Service should be enabled.
  4. On the windows firewall, select "Windows Management Instrumentation (WMI)" as an exception program to allow in bound WMI calls. Also, make sure the "File and Printer Sharing" is part of the exception list.


Version history
Revision #:
1 of 1
Last update:
‎08-24-2010 07:27 PM
Updated by:
 
Labels (1)