Guest

Preview Tool

Cisco Bug: CSCut50414 - Preclass does not print malware content message in amp heimdall logs

Last Modified

Nov 15, 2016

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

8.8.0-002

Description (partial)

Symptom:
Preclass does not print malware content message in amp heimdall logs

Conditions:
1. Netinstall WSA and Perform SSW.  
2. Configure M1 for management and data traffic
3. Proxy in forward mode
4. Ipv4 src and destination
5. Disable AV scanning engines (Sophos, McAffe and webroot)
6. Enable Web Reputation Filtering, Adaptive Scanning, File Reputation Filtering and File Analysis
7. Amp log to be put to debug mode from UI and cli :
-  System Administration > Log subscriptions > amp_logs > Log level > Trace
- Change sdk_debug_level from Info to Debug mode in /data/db/config/fireamp.config/data.cfg
-restart amp process 
/data/release/coeus-<version X-X-X >/bin/heimdall_svc -r amp
/data/release/coeus-<version X-X-X >/bin/heimdall_svc -r thirdparty
 8) Go to Security services > Anti-Malware and Reputation Settings > Advanced Malware Protection Services  >  Enable File Analysis 
 File Types: 
 Adobe Portable Document Format (PDF) 
 Microsoft Office 2007+ (Open XML) 
 Microsoft Office 97-2004 (OLE) 
 Microsoft Windows / DOS Executable 
 All of the above should be selected (checked)
10) Test file to be downloaded using HTTP
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.