在ESA上配置静态文件信誉主机或备用文件信誉云服务器池
下载选项
已更新: 2017 年 7 月 26 日
文档 ID:210534
非歧视性语言
此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
关于此翻译
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
目录
简介
本文档介绍如何配置思科邮件安全设备(ESA),以通过使用高级恶意软件防护(AMP)进行通信并使用静态主机或用于文件信誉的备用信誉云服务器池。
背景信息
文件信誉查询是ESA上AMP的两个层中的第一层。文件信誉可在每个文件穿过ESA时捕获文件的指纹,并将其发送到AMP的基于云的情报网络进行信誉鉴定。基于这些结果,ESA管理员可以自动阻止恶意文件并应用管理员定义的策略。 文件信誉云服务托管在Amazon Web Services (AWS)上。当您对本文档中描述的主机名执行DNS查询时,您会看到列出了“.amazonaws.com”。
ESA中的第二层AMP是文件分析。 本文档未涵盖该内容。
默认情况下,文件信誉流量的SSL通信使用端口32137。在配置该服务时,端口443可能用作备用端口。有关详细信息,请参阅ESA用户指南“文件信誉过滤和文件分析”部分。ESA和网络管理员在继续进行配置之前,可能希望验证IP地址、IP位置以及端口通信(32137与443)与池的连接。
默认AMERICAS(传统)信誉云服务器池(cloud-sa.amp.sourcefire.com)
在ESA上许可、启用和配置文件信誉后,默认情况下会为此信誉云服务器池设置文件信誉:
- 美洲(传统)(cloud-sa.amp.sourcefire.com)
主机名“cloud-sa.amp.sourcefire.com”是DNS规范名称记录(CNAME)。CNAME是DNS中的一种资源记录,用于指定域名是另一个域(即“规范”域)的别名。与此CNAME绑定的池中的关联主机名可能类似于:
- ec2-107-22-180-78.compute-1.amazonaws.com (107.22.180.78)
- ec2-54-225-142-100.compute-1.amazonaws.com (54.225.142.100)
- ec2-23-21-208-4.compute-1.amazonaws.com (23.21.208.4)
- ec2-54-83-195-228.compute-1.amazonaws.com (54.83.195.228)
还可以选择另外两个文件信誉服务器选项:
- 美洲(cloud-sa.amp.cisco.com)
- 欧洲(cloud-sa.eu.amp.cisco.com)
本文档的“静态文件信誉服务器主机名(.cisco.com)”部分将介绍这两种服务器。
当您运行以下dig或nslookup查询时,您可以随时从您的网络验证与AMERICAS cloud-sa-amp.sourcefire.com CNAME关联的主机:
╰─$ dig cloud-sa.amp.sourcefire.com +short
cloud-sa-589592150.us-east-1.elb.amazonaws.com.
107.22.180.78
54.225.208.214
23.21.208.4
54.83.195.228
╰─$ nslookup cloud-sa.amp.sourcefire.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
cloud-sa.amp.sourcefire.com canonical name = cloud-sa-589592150.us-east-1.elb.amazonaws.com.
Name: cloud-sa-589592150.us-east-1.elb.amazonaws.com
Address: 54.225.208.214
Name: cloud-sa-589592150.us-east-1.elb.amazonaws.com
Address: 54.83.195.228
Name: cloud-sa-589592150.us-east-1.elb.amazonaws.com
Address: 107.22.180.78
Name: cloud-sa-589592150.us-east-1.elb.amazonaws.com
Address: 23.21.208.4
注意:这些主机并非静态,建议不仅限于这些主机的ESA文件信誉流量。查询结果可能会有所不同,因为池中的主机将发生更改,恕不另行通知。
您可以通过以下第三方工具验证IP地理位置:
静态文件信誉服务器主机名(.cisco.com)
思科从2016年开始为AMP的文件信誉服务提供基于“.cisco.com”的主机名。从以下网址可找到可用于文件信誉的静态主机名和IP地址:
- cloud-sa.amp.cisco.com (北美-美国)
- cloud-sa.eu.amp.cisco.com (欧洲-爱尔兰共和国)
- cloud-sa.apjc.amp.cisco.com (亚太地区-日本)
您可以验证网络中的主机和关联的IP地址并运行dig或nslookup 查询:
北美(美国):
╰─$ dig cloud-sa.amp.cisco.com +short
52.21.117.50
欧洲(爱尔兰共和国)
╰─$ nslookup cloud-sa.eu.amp.cisco.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
Name: cloud-sa.eu.amp.cisco.com
Address: 52.30.124.82
亚太地区(日本):
╰─$ dig cloud-sa.apjc.amp.cisco.com +short
52.69.39.127
您可以通过以下第三方工具验证IP地理位置:
目前,不打算停用“.sourcefire.com”主机名。
Alternative EUROPE信誉云服务器池(cloud-sa.eu.amp.sourcefire.com)
对于需要将特定流量发送到仅基于欧盟的服务器和数据中心的基于欧盟(EU)的客户,管理员可以将ESA配置为指向EU静态主机或EU信誉云服务器池:
- cloud-sa-eu.amp.cisco.com
- cloud-sa.eu.am p.sourcefire.com
与默认主机名“cloud-sa.amp.sourcefire.com”一样,主机名“cloud-sa.eu.amp.sourcefire.com”也是CNAME。与此CNAME绑定的池中的关联主机名可能类似于:
- ec2-54-217-245-97.eu-west-1.compute.amazonaws.com (54.217.245.97)
- ec2-54-247-186-153.eu-west-1.compute.amazonaws.com (54.247.186.153)
- ec2-176-34-122-245.eu-west-1.compute.amazonaws.com (176.34.122.245)
您可以验证从您的网络与EUROPEAN cloud-sa.eu.amp.sourcefire.com CNAME关联的主机,并运行一个dig或nslookup查询:
╰─$ dig cloud-sa.eu.amp.sourcefire.com +short
cloud-sa-162723281.eu-west-1.elb.amazonaws.com.
54.217.245.97
54.247.186.153
176.34.122.245
╰─$ nslookup cloud-sa.eu.amp.sourcefire.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
cloud-sa.eu.amp.sourcefire.com canonical name = cloud-sa-162723281.eu-west-1.elb.amazonaws.com.
Name: cloud-sa-162723281.eu-west-1.elb.amazonaws.com
Address: 54.247.182.97
Name: cloud-sa-162723281.eu-west-1.elb.amazonaws.com
Address: 176.34.122.245
Name: cloud-sa-162723281.eu-west-1.elb.amazonaws.com
Address: 54.247.186.153
注意:这些主机不是静态的,建议不要仅基于这些主机限制ESA文件信誉流量。查询结果可能会有所不同,因为池中的主机将发生更改,恕不另行通知。
您可以通过以下第三方工具验证IP地理位置:
在ESA上配置静态文件信誉主机或备用文件信誉云服务器池
可以在ESA的GUI或CLI中配置文件信誉。本文档中列出的配置步骤将演示CLI配置。但是,可以通过GUI应用相同的步骤和信息(安全服务(Security Services) >文件信誉和分析(File Reputation and Analysis) >编辑全局设置(Edit Global Settings)…… >文件信誉高级设置(Advanced Settings for File Reputation))。
AsyncOS 10.x及更高版本
AsyncOS 10.x的新功能允许将ESA配置为使用专用信誉云(本地文件信誉服务器)或基于云的文件信誉服务器。通过此更改,AMP配置不再提示主机名带有“Enter reputation cloud server pool”步骤。您必须选择将其他文件信誉服务器设置为私有信誉云并提供该主机名的公钥。
对于10.0.x及更高版本,在配置备用AMP信誉服务器时,可能需要输入与该主机名关联的公钥。
所有AMP信誉服务器使用相同的公钥:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEchIap1VqPuGibM2n3wjfhqQZdzC9
WI1Z7QZ2Q7VesLe+A53TxYujeo7fCDKJEQKrPjU6kI36PSZusObr9Cur/g==
-----END PUBLIC KEY-----
此示例将帮助您将备用文件信誉服务器设置为cloud-sa.eu.amp.sourcefirce.com:
my11esa.local > ampconfig
NOTICE: This configuration command has not yet been configured for the current cluster mode (Machine 122.local).
What would you like to do?
1. Switch modes to edit at mode "Cluster Test_cluster".
2. Start a new, empty configuration at the current mode (Machine 122.local).
3. Copy settings from another cluster mode to the current mode (Machine 122.local).
[1]>
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
Adobe Portable Document Format (PDF)
Microsoft Office 2007+ (Open XML)
Microsoft Office 97-2004 (OLE)
Microsoft Windows / DOS Executable
Other potentially malicious file types
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
- CLUSTERSET - Set how advanced malware protection is configured in a cluster.
- CLUSTERSHOW - Display how advanced malware protection is configured in a cluster.
[]> advanced
Enter cloud query timeout?
[15]>
Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.sourcefire.com)
2. Private reputation cloud
[2]>
Enter AMP reputation server hostname or IP address?
[]> cloud-sa.eu.amp.sourcefire.com
Do you want to input new public key? [N]> y
Paste the public key followed by a . on a new line
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEchIap1VqPuGibM2n3wjfhqQZdzC9
WI1Z7QZ2Q7VesLe+A53TxYujeo7fCDKJEQKrPjU6kI36PSZusObr9Cur/g==
-----END PUBLIC KEY-----
.
Enter cloud domain?
[a.immunet.com]>
Do you want use the recommended reputation threshold from cloud service? [Y]>
Enter heartbeat interval?
[15]>
Do you want to enable SSL communication (port 443) for file reputation? [Y]>
Please make sure you have added the Amp onprem reputation server CA certificate in certconfig->CERTAUTHOROTIES->CUSTOM
Proxy server detail:
Server :
Port :
User :
Do you want to change proxy detail [N]>
Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. Private analysis cloud
[1]>
确认所有配置更改。
AsyncOS 9.7.x及更低版本
以下有关AsyncOS 9.7.2-065 for Email Security的示例将帮助您将备用信誉云服务器池升级到cloud-sa.eu.amp.sourcefirce.com:
my97esa.local> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
Adobe Portable Document Format (PDF)
Microsoft Office 2007+ (Open XML)
Microsoft Office 97-2004 (OLE)
Microsoft Windows / DOS Executable
Other potentially malicious file types
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> advanced
Enter cloud query timeout?
[15]>
Enter cloud domain?
[a.immunet.com]>
Enter reputation cloud server pool?
[cloud-sa.amp.sourcefire.com]> cloud-sa.eu.amp.sourcefire.com
Do you want use the recommended reputation threshold from cloud service? [Y]>
Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. Private Cloud
[1]>
Enter heartbeat interval?
[15]>
Do you want to enable SSL communication (port 443) for file reputation? [Y]>
Proxy server detail:
Server :
Port :
User :
Do you want to change proxy detail [N]>
确认所有配置更改。
内部部署文件信誉服务器(FireAMP私有云)
本地文件信誉服务器(也称为FireAMP私有云)的使用从AsyncOS 10.x for Email Security开始。
如果您已在网络中部署思科AMP虚拟私有云设备,现在无需将邮件附件发送到公共信誉云即可查询其文件信誉。要将设备配置为使用本地文件信誉服务器,请参阅ESA用户指南或在线帮助中的“文件信誉过滤和文件分析”一章。
验证
使用本部分可确认配置能否正常运行。
要查看传递到已配置的静态主机或信誉云服务器池的文件信誉流量,请使用指定的过滤器从ESA执行数据包捕获,以捕获端口32137或端口443流量。
对于此示例,使用cloud-sa.eu.amp.sourcefire.com云服务器池和SSL通信,使用端口443...
这会记录到AMP日志中的ESA:
Sun Mar 26 21:17:45 2017 Info: File reputation query initiating. File Name = 'contract_604418.doc', MID = 463, File Size = 139816 bytes, File Type = application/msword
Sun Mar 26 21:17:46 2017 Info: Response received for file reputation query from Cloud. File Name = 'contract_604418.doc', MID = 463, Disposition = MALICIOUS, Malware = W32.8A78D308C9-95.SBX.TG, Reputation Score = 99, sha256 = 8a78d308c96ff5c7158ea1d6ca25f3546fae8515d305cd699eab2d2ef3c08745, upload_action = 2
运行的ESA数据包跟踪捕获到此会话:
1060 28.504624 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 74 51391 → 443 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 WS=64 SACK_PERM=1 TSval=198653388 TSecr=0
1072 28.594265 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TCP 74 443 → 51391 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1380 SACK_PERM=1 TSval=142397924 TSecr=198653388 WS=256
1073 28.594289 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=1 Ack=1 Win=16384 Len=0 TSval=198653478 TSecr=142397924
1074 28.595264 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com SSL 502 Client Hello
1085 28.685554 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TCP 66 443 → 51391 [ACK] Seq=1 Ack=437 Win=30208 Len=0 TSval=142397947 TSecr=198653478
1086 28.687344 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TLSv1 1434 Server Hello
1087 28.687378 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=437 Ack=1369 Win=15040 Len=0 TSval=198653568 TSecr=142397947
1088 28.687381 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TCP 146 [TCP segment of a reassembled PDU]
1089 28.687400 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=437 Ack=1449 Win=14912 Len=0 TSval=198653568 TSecr=142397947
1090 28.687461 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TCP 1434 [TCP segment of a reassembled PDU]
1091 28.687475 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=437 Ack=2817 Win=13568 Len=0 TSval=198653568 TSecr=142397947
1092 28.687479 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TCP 1346 [TCP segment of a reassembled PDU]
1093 28.687491 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=437 Ack=4097 Win=12288 Len=0 TSval=198653568 TSecr=142397947
1094 28.687614 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 [TCP Window Update] 51391 → 443 [ACK] Seq=437 Ack=4097 Win=16384 Len=0 TSval=198653568 TSecr=142397947
1096 28.711945 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TLSv1 1120 Certificate
1097 28.711973 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=437 Ack=5151 Win=15360 Len=0 TSval=198653594 TSecr=142397953
1098 28.753074 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TLSv1 392 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
1099 28.855886 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TLSv1 348 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
1100 28.855934 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=763 Ack=5433 Win=16128 Len=0 TSval=198653740 TSecr=142397989
1101 28.856555 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TLSv1 252 Application Data, Application Data
1104 28.952344 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TLSv1 252 Application Data, Application Data
1105 28.952419 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=949 Ack=5619 Win=16192 Len=0 TSval=198653837 TSecr=142398013
1106 28.958953 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TLSv1 300 Application Data, Application Data
1107 29.070057 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TLSv1 268 Application Data, Application Data
1108 29.070117 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=1183 Ack=5821 Win=16192 Len=0 TSval=198653951 TSecr=142398043
1279 59.971986 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TLSv1 103 Encrypted Alert
1280 59.972030 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=1183 Ack=5858 Win=16320 Len=0 TSval=198684848 TSecr=142405768
1281 59.972034 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TCP 66 443 → 51391 [FIN, ACK] Seq=5858 Ack=1183 Win=33280 Len=0 TSval=142405768 TSecr=198653951
1282 59.972044 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [ACK] Seq=1183 Ack=5859 Win=16320 Len=0 TSval=198684848 TSecr=142405768
1283 59.972392 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TLSv1 103 Encrypted Alert
1284 59.972528 my11esa.local -> ec2-176-34-122-245.eu-west-1.compute.amazonaws.com TCP 66 51391 → 443 [FIN, ACK] Seq=1220 Ack=5859 Win=16384 Len=0 TSval=198684848 TSecr=142405768
1285 60.062083 ec2-176-34-122-245.eu-west-1.compute.amazonaws.com -> my11esa.local TCP 66 443 → 51391 [ACK] Seq=5859 Ack=1221 Win=33280 Len=0 TSval=142405791 TSecr=198684848
您看到流量通过端口443进行通信。通过我们的ESA (my11esa.local),它与hostname ec2-176-34-122-245.eu-west-1.compute.amazonaws.com通信。此主机名与IP地址176.34.122.245关联:
╰─$ dig ec2-176-34-122-245.eu-west-1.compute.amazonaws.com +short
176.34.122.245
IP地址176.34.122.245是cloud-sa.eu.amp.sourcefire.com:
╰─$ dig cloud-sa.eu.amp.sourcefire.com +short
cloud-sa-162723281.eu-west-1.elb.amazonaws.com.
54.217.245.200
54.247.186.153
176.34.122.245
在本示例中,已配置的信誉云服务器池cloud-sa.eu.amp.sourcefire.com定向并接受通信。
故障排除
本部分提供了可用于对配置进行故障排除的信息。
使用Telnet测试连通性
要验证到文件信誉云的端口级别连接,请使用已配置的信誉云服务器池的主机名,并使用telnet测试端口32137或端口443(根据配置)。
my97esa.local> telnet cloud-sa.amp.sourcefire.com 443
Trying 23.21.208.4...
Connected to ec2-23-21-208-4.compute-1.amazonaws.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
验证与EU的连接,通过端口443成功:
my97esa.local> telnet cloud-sa.eu.amp.sourcefire.com 443
Trying 176.34.113.72...
Connected to ec2-176-34-113-72.eu-west-1.compute.amazonaws.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
检验与EU的连接,无法通过端口32137连接:
my97esa.local> telnet cloud-sa.eu.amp.sourcefire.com 32137
Trying 176.34.113.72...
telnet: connect to address 176.34.113.72: Operation timed out
telnet: Unable to connect to remote host
您可以通过相同的telnet测试方法,使用端口32137或端口443对信誉云服务器池的CNAME后面的直接IP或主机名进行Telnet测试。如果无法成功telnet至主机名和端口,可能需要检查ESA外部的网络连接和防火墙设置。
验证本地文件信誉服务器的telnet成功与否将通过相同的过程完成,如图所示。
公钥的输入
在运行AsyncOS 10.x及更高版本的ESA上输入公钥时,请确保已成功粘贴或加载公钥。公钥中的任何错误都会显示在配置输出中:
Do you want to input new public key? [N]> y
Paste the public key followed by a . on a new line
-----BEGIN PUBLIC KEY-----
MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEAIHPMkqCH057gxeQK6aUKqmpqk+1AW0u
vxOkpuI+gtfLICRijTx3Vh45
-----END PUBLIC KEY-----
.
Failed to save public key
如果收到错误,请重试配置。有关持续错误,请联系思科支持。
查看AMP日志
当您在ESA上查看AMP日志时,请确保您看到文件信誉查询时指定的“来自云的文件信誉查询”:
Sun Mar 26 11:28:13 2017 Info: File reputation query initiating. File Name = 'billing_fax_271934.doc', MID = 458, File Size = 143872 bytes, File Type = application/msword
Sun Mar 26 11:28:14 2017 Info: Response received for file reputation query from Cloud. File Name = 'billing_fax_271934.doc', MID = 458, Disposition = MALICIOUS, Malware = W32.50944E2888-100.SBX.TG, Reputation Score = 0, sha256 = 50944e2888b551f41f3de2fc76b4b57cb3cd28e718c9265c43128568916fe70f, upload_action = 2
如果看到此消息,则查询从本地ESA缓存提取响应,而不是从配置的信誉云服务器池提取响应(此消息):
Sun Mar 26 11:30:18 2017 Info: File reputation query initiating. File Name = 'billing_fax_271934.doc', MID = 459, File Size = 143872 bytes, File Type = application/msword
Sun Mar 26 11:30:18 2017 Info: Response received for file reputation query from Cache. File Name = 'billing_fax_271934.doc', MID = 459, Disposition = MALICIOUS, Malware = W32.50944E2888-100.SBX.TG, Reputation Score = 0, sha256 = 50944e2888b551f41f3de2fc76b4b57cb3cd28e718c9265c43128568916fe70f, upload_action = 2
其他错误和警报
ESA管理员可能会收到此通知。如果收到,请重新执行配置和验证过程。
The Warning message is:
amp The previously selected regional server cloud-sa.eu.amp.sourcefire.com is unavailable. Server cloud-sa.amp.sourcefire.com has been selected as default.
Version: 11.0.0-028
Serial Number: 1111CEE15FF3A9F9A1111-1AAA2CF4A1A1
Timestamp: 26 Mar 2017 11:09:29 -0400
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
07-Apr-2017 |
初始版本 |
反馈