故障排除警报消息-无法访问文件信誉服务

简介

本文档介绍归因于启用了高级恶意软件防护(AMP)的思科邮件安全设备(ESA)的警报，其中服务无法通过端口32137或443进行通信以获取文件信誉。

AMP收到“文件信誉服务无法访问”错误

AMP已发布用于邮件安全的AsyncOS版本8.5.5中的ESA。在ESA上许可并启用AMP后，管理员会收到以下消息：

The Warning message is:

The File Reputation service is not reachable.

Last message occurred 2 times between Tue Sep 10 14:15:14 2024 and Tue Sep 10 14:16:23 2024.

Version: 15.5.1-055
Serial Number: 123A82F6780XXX9E1E10-XXX5DBEFCXXX
Timestamp: 10 Sep 2024 14:19:00 -0500

AsyncOS 14.x或更低版本

AMP服务已启用，但可能不会通过文件信誉的端口32137在网络上进行通信。

在这种情况下，ESA管理员可以选择通过端口443进行文件信誉通信。

要执行此操作，请从CLI运行ampconfig > advanced，并确保为Do you want to enable SSL communication (port 443) for file reputation选择Y？[N]>：

(Cluster example.com)> ampconfig

Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
- CLUSTERSET - Set how advanced malware protection is configured in a cluster.
- CLUSTERSHOW - Display how advanced malware protection is configured in a cluster.
[]> advanced

Enter cloud query timeout?
[15]>

Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.cisco.com)
2. AMERICAS(Legacy) (cloud-sa.amp.sourcefire.com)
3. EUROPE (cloud-sa.eu.amp.cisco.com)
4. APJC (cloud-sa.apjc.amp.cisco.com)
5. Private reputation cloud
[1]>

Do you want use the recommended analysis threshold from cloud service? [Y]>

Enter heartbeat interval?
[15]>

Do you want to enable SSL communication (port 443) for file reputation? [N]> Y

Proxy server detail:
Server : 
Port : 
User :

Do you want to change proxy detail [N]>

Do you want to suppress the verdict update alerts for all messages that are not delivered to the recipient? [N]>

Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. EUROPE (https://panacea.threatgrid.eu)
3. Private analysis cloud
[1]>

如果使用GUI，请选择Security Services > File Reputation and Analysis > Edit Global Settings > Advanced（下拉菜单），并确保选中Use SSL复选框（如下所示）：

提交对配置所做的所有更改。

最后，查看当前AMP日志，查看服务和连接是否成功。您可以使用尾部amp从CLI中完成此操作。

对ampconfig > advanced进行更改之前，您应在AMP日志中看到以下内容：

Mon Jan 26 10:11:16 2015 Warning: amp The File Reputation service in the cloud 
is unreachable.
Mon Jan 26 10:12:15 2015 Warning: amp The File Reputation service in the cloud 
is unreachable.
Mon Jan 26 10:13:15 2015 Warning: amp The File Reputation service in the cloud 
is unreachable.

对ampconfig > advanced进行更改后，您将在AMP日志中看到以下内容：

Mon Jan 26 10:19:19 2015 Info: amp stunnel process started pid [3725]
Mon Jan 26 10:19:22 2015 Info: amp The File Reputation service in the cloud 
is reachable.
Mon Jan 26 10:19:22 2015 Info: amp File reputation service initialized 
successfully
Mon Jan 26 10:19:22 2015 Info: amp File Analysis service initialized 
successfully
Mon Jan 26 10:19:23 2015 Info: amp The File Analysis server is reachable
Mon Jan 26 10:20:24 2015 Info: amp File reputation query initiating. File Name = 
'amp_watchdog.txt', MID = 0, File Size = 12 bytes, File Type = text/plain
Mon Jan 26 10:20:24 2015 Info: amp Response received for file reputation query 
from Cloud. File Name = 'amp_watchdog.txt', MID = 0, Disposition = file unknown, 
Malware = None, Reputation Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977
fa12c32d13bfbd78bbe27e95b245f82, upload_action = 1

上例所示的amp_watchdog.txt文件将每10分钟运行一次，并在AMP日志中进行跟踪。此文件是AMP的“保持连接”的一部分。

AMP日志中针对文件信誉和文件分析配置文件类型的邮件执行的常规查询与以下内容类似：

Wed Jan 14 15:33:01 2015 Info: File reputation query initiating. File Name = 
'securedoc_20150112T114401.html', MID = 703, File Size = 108769 bytes, File 
Type = text/html
Wed Jan 14 15:33:02 2015 Info: Response received for file reputation query from 
Cloud. File Name = 'securedoc_20150112T114401.html', MID = 703, Disposition = file 
unknown, Malware = None, Reputation Score = 0, sha256 = c1afd8efe4eeb4e04551a8a0f5
533d80d4bec0205553465e997f9c672983346f, upload_action = 1

借助此日志信息，管理员可以关联邮件日志中的邮件ID (MID)。

其他故障排除

检查防火墙和网络设置，确保已为以下项目打开SSL通信：

您可以通过Telnet测试从ESA到443以上云服务的基本连接，以确保设备可以成功访问AMP服务、文件信誉和文件分析。

注意：文件信誉和文件分析的地址在CLI上用ampconfig > advanced配置，或者在GUI上用Security Services > File Reputation and Analysis > Edit Global Settings > Advanced（下拉菜单）配置。

注意：如果在ESA和文件信誉服务器之间使用隧道代理，您可能需要启用“Relax Certificate Validation for Tunnel Proxy”选项。 如果隧道代理服务器的证书未由ESA信任的根颁发机构签署，则提供此选项以跳过标准证书验证。例如，如果在受信任的内部隧道代理服务器上使用自签名证书，请选择此选项。

文件信誉示例：

10.0.0-125.local> telnet cloud-sa.amp.sourcefire.com 443

Trying 23.21.199.158...
Connected to ec2-23-21-199-158.compute-1.amazonaws.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

文件分析示例：

10.0.0-125.local> telnet panacea.threatgrid.com 443

Trying 69.55.5.244...
Connected to 69.55.5.244.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

如果ESA可以telnet至文件信誉服务器，并且没有解密连接的上游代理，则可能需要向Threat Grid重新注册设备。在ESA CLI上，有一个隐藏命令：

10.0.0-125.local> diagnostic

Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- DISK_USAGE - Check Disk Usage.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
- SERVICES - Service Utilities.
[]> ampregister

AMP registration initiated.

AsyncOS 15.x或更高版本

确保选择了正确的文件信誉服务器。也可以在GUI中通过导航到安全服务>文件信誉和分析>编辑全局设置>文件信誉的高级设置>文件信誉服务器完成此操作。

注意：有关配置防火墙的主机名和端口信息，请查看此处的用户指南中的“防火墙信息”部分。 

(Cluster example.com)> ampconfig

File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet


Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
- CLUSTERSET - Set how advanced malware protection is configured in a cluster.
- CLUSTERSHOW - Display how advanced malware protection is configured in a cluster.
[]> advanced

Enter cloud query timeout?
[20]>

Choose a file reputation server:
1. US Cloud
2. EU Cloud
3. APJC Cloud
4. Private reputation cloud
[1]>

Do you want use the recommended analysis threshold from cloud service? [Y]>

Enter heartbeat interval?
[15]>

Proxy server detail:
Server : 
Port : 
User : 
Passphrase:

Do you want to change proxy detail [N]>

Do you want to suppress the verdict update alerts for all messages that are not delivered to the recipient? [Y]>

Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. AUSTRALIA (https://panacea.threatgrid.com.au)
3. CANADA (https://panacea.threatgrid.ca)
4. EUROPE (https://panacea.threatgrid.eu)
5. Private analysis cloud
[1]>

Use Existing File Reputation Proxy? [N]>

Proxy server detail:
Server : 
Port : 
User : 
Password :

Do you want to change proxy detail [N]>

File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet

相关信息

• ESA高级恶意软件防护(AMP)测试
• ESA用户指南
• ESA常见问题：什么是邮件ID (MID)、注入连接ID (ICID)或交付连接ID (DCID)？
• 如何搜索和查看ESA上的邮件日志？
• 技术支持和文档 - Cisco Systems