The Management Center Is Unable to Communicate with the Cloud
After deploying the file policy with the Block Malware rule action, you can attempt to download the same MSEXE file 7z1900.exe as you did previously. In this instance, the threat defense calculates the file’s SHA-256 hash and attempts to perform a cloud lookup for the hash value.
Figure 16-25 shows a file event (table view) for downloading the same 7z1900.exe file. Because the file policy enables malware analysis, the threat defense calculates the SHA-256 hash value. However, the cloud lookup process times out.
Figure 16-25 Malware Analysis Verdict—Cloud Lookup Timeout
Figure 16-26 shows the summary view of the file events. Due to the cloud lookup timeout, the malware disposition is listed as Unavailable.
Figure 16-26 The Malware Disposition Is Unavailable Due to a Cloud Lookup Timeout
Example 16-3 demonstrates that the threat defense is able to calculate the SHA-256 checksum locally. However, when it sends the calculated hash value for a lookup, the query times out (due to a communication failure to the Cisco cloud). This leads the management center to display the disposition as Unavailable.
Example 16-3 The Management Center Calculates the SHA-256 Hash Value but Is Unable to Complete a Lookup
Click here to view code image
>
system support firewall-engine-debug
Please specify an IP protocol:
tcp
Please specify a client IP address:
192.168.1.100
Please specify a client port:
Please specify a server IP address:
Please specify a server port:
Monitoring firewall engine debug messages
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 new firewall session
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 using HW or preset rule order 2,
‘Rule for Files’, action Allow and prefilter rule 0
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 HitCount data sent for rule id:
268461056,
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 allow action
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 IP SI: HTTP HOST
“http://192.168.1.200/files/
7z1900.exe
” has embedded IP
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 File policy verdict is Type,
Malware, and Capture
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 File type verdict Unknown,
fileAction Malware Lookup
, flags 0x01B9DA00, and type action Stop for type 21 of
instance 0
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 File signature verdict Unknown
and flags 0x01B9DA00 for partial file of instance 0
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 File signature 759aa04d5b03e-
beee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80 ShmDBLookupFile returned 0
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 File signature cache query returned
Cache Miss for 759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80 with
disposition Cache Miss
, spero Cache Miss, severity 0, and transmit Not Sent
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 File signature reserved file
data of 759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80 with flags
0x01B9DA00 and status Exceeded Max Filesize
192.168.1.100-46598 > 192.168.1.200-80 6 AS 4-4 I 0 File signature verdict Pending
and flags 0x01B9DA00 for 759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984b-
b7ef80 of instance 0
.
<Output omitted for brevity>
.
Caught interrupt signal
Exiting.
>
To find the root cause of a lookup failure, you can analyze the syslog messages on the management center. To view the messages, you can use Linux commands, such as less, cat, or tail, as needed. Note that the timestamps of messages use coordinated universal time (UTC).
Leave a Reply