Cisco Content Security and Control SSM Administrator Guide, 6.1.1587.0 - Managing Updates and Log Queries [Cisco Security Modules for Security Appliances]

Table Of Contents

Managing Updates and Log Queries

Updating Components

Manual Update

Scheduled Update

Configuring Proxy Settings

Configuring System Log Message Settings

Viewing Log Data

Logging of Scanning Parameter Exceptions

Managing Updates and Log Queries

This chapter describes how to manage component updates, proxy and system log message settings, and log queries, and includes the following sections:

•Updating Components

•Configuring Proxy Settings

•Configuring System Log Message Settings

•Viewing Log Data

Updating Components

New viruses and other security risks are released on the global computing community via the Internet or other distribution means at various times. TrendLabs immediately analyzes a new threat, and takes appropriate steps to update the components required to detect the new threat, such as the virus pattern file. This quick response enables Trend Micro InterScan for Cisco CSC SSM to detect, for example, a new worm that was launched from the computer of a malicious hacker in Amsterdam at 3:00 A.M. in the morning.

It is critical that you keep your components up-to-date to ensure that a new threat does not penetrate your network. To accomplish this, you can:

•Perform a manual update of the components at any time, on demand.

•Set up an update schedule that automatically updates the components on a periodic basis.

The components managed, either manually or via a schedule, are the following:

•The virus pattern file

•The virus scan engine

•The spyware pattern file (also includes patterns for other types of grayware)

•The PhishTrap pattern file

•Anti-spam rules

•The anti-spam engine

The PhishTrap pattern file, anti-spam rules, and anti-spam engine are active and updated only if you have purchased the Plus License.

To find out whether you have the most current components installed, go to the Manual Update window and check the component status.

Note The CSC SSM software does not support rollback of these updates for either the scan engine or the pattern file.

Manual Update

To view component status or update components manually, perform these steps:

Step 1 Choose Updates > Manual.

The Manual Update window displays (shown in Figure 5-1).

Figure 5-1 Manual Update Window

To view the component status, check the Available column on the right side of the window. If a more current component is available, the component version displays in red.

Step 2 Click Update to download the latest pattern file version.

A progress message displays while the new pattern is downloading. When the update is complete, the Manual Update window refreshes, showing that the latest update has been applied.

See the online help for more information about this feature.

Scheduled Update

You can configure component updates to occur as frequently as every 15 minutes.

To schedule component updates, perform the following steps:

Step 1 Choose Updates > Scheduled to view the Scheduled Update window.

Step 2 Choose the components to be updated according to the update schedule.

Step 3 Make the desired schedule changes.

Step 4 Click Save to update the configuration.

See the online help for more information about this feature.

Configuring Proxy Settings

If you are using a proxy server to communicate with the Trend Micro ActiveUpdate server, you specified a proxy server IP and port during installation.

To configure proxy settings, perform the following steps:

Step 1 To view current proxy server settings on the Proxy Settings window (shown in Figure 5-2), choose Update > Proxy Settings.

Figure 5-2 Proxy Settings Window

Step 2 If you set up a proxy server during installation, the HTTP proxy protocol is configured by default. To change the proxy protocol to SOCKS4, click the SOCKS4 radio button.

Step 3 If needed, add an optional proxy authentication username and password in the User ID and Password fields.

Step 4 Click Save to update the configuration when you are finished.

See the online help for more information about this feature.

Configuring System Log Message Settings

After installation, log data such as virus and spyware or grayware detection is saved temporarily. To store log data, you must configure at least one syslog server. You may configure up to three syslog servers.

To configure system log messages, perform the following steps:

Step 1 Choose Logs > Settings to display the Log Settings window.

Step 2 Configure at least one syslog server. Check Enable, and then enter the syslog server IP address, port, and preferred protocol (either UDP or TCP).

See the online help for more information about this feature.

By default, detected security risks are logged. You can turn off logging for features you are not using. For example, you can turn off URL blocking or anti-phishing and URL filtering if you did not purchase the Plus License.

For information about choosing and viewing log data, see the "Viewing Log Data" section. System log messages are also viewable from the ASDM. For more information, see the ASDM online help.

Viewing Log Data

After you have installed and configured Trend Micro InterScan for Cisco CSC SSM, security risks are being detected and acted upon according to the settings you chose for each type of risk. These events are recorded in the logs. To conserve system resources, you can purge these logs periodically.

To view log data, perform the following steps:

Step 1 Choose Logs > Query to display the Log Query window.

Step 2 Specify the inquiry parameters and click Display Log to view the log.

See the online help for more information about this feature.

Figure 5-3 shows an example of the spyware and grayware log.

Figure 5-3 Spyware/Grayware Log

Logging of Scanning Parameter Exceptions

Exceptions to the following scanning parameters, which are specified on the Target tab, display in the Virus/Malware log.

For SMTP, POP3, HTTP and FTP, the exceptions are as follows:

•Compressed files that when decompressed, exceed the specified file count limit.

•Compressed files that when decompressed, exceed the specified file size limit.

•Compressed files that exceed the number of layers of compression limit.

•Compressed files that exceed the compression ratio limit (the size of the decompressed files is "x" times the size of the compressed file).

•Password-protected files (if configured for deletion).

For HTTP and FTP only, the exceptions are as follows:

•Files or downloads that are too large for scanning.

In place of the virus or malware name, these files are identified with messages similar to the following:
Decompressed_File_Size_Exceeded
Large_File_Scanning_Limit_Exceeded

	Cisco Content Security and Control SSM Administrator Guide, 6.1.1587.0
	Managing Updates and Log Queries
Cisco Content Security and Control SSM Administrator Guide, 6.1.1587.0 About This Guide Troubleshooting Trend Micro InterScan for Cisco CSC SSM Reimaging and Configuring the CSC SSM Using the CLI Using CSC SSM with Trend Micro Control Manager Glossary Index Introducing the CSC SSM Verifying Initial Setup Configuring SMTP and POP3 Mail Traffic Configuring Web (HTTP) and File Transfer (FTP) Traffic Managing Updates and Log Queries Administering Trend Micro InterScan for Cisco CSC SSM Monitoring Content Security	Download this chapter Managing Updates and Log Queries Download the complete book Cisco Content and Security SSM Administrator Guide (PDF - 3 MB) Feedback Table Of Contents Managing Updates and Log Queries Updating Components Manual Update Scheduled Update Configuring Proxy Settings Configuring System Log Message Settings Viewing Log Data Logging of Scanning Parameter Exceptions Managing Updates and Log Queries This chapter describes how to manage component updates, proxy and system log message settings, and log queries, and includes the following sections: •Updating Components •Configuring Proxy Settings •Configuring System Log Message Settings •Viewing Log Data Updating Components New viruses and other security risks are released on the global computing community via the Internet or other distribution means at various times. TrendLabs immediately analyzes a new threat, and takes appropriate steps to update the components required to detect the new threat, such as the virus pattern file. This quick response enables Trend Micro InterScan for Cisco CSC SSM to detect, for example, a new worm that was launched from the computer of a malicious hacker in Amsterdam at 3:00 A.M. in the morning. It is critical that you keep your components up-to-date to ensure that a new threat does not penetrate your network. To accomplish this, you can: •Perform a manual update of the components at any time, on demand. •Set up an update schedule that automatically updates the components on a periodic basis. The components managed, either manually or via a schedule, are the following: •The virus pattern file •The virus scan engine •The spyware pattern file (also includes patterns for other types of grayware) •The PhishTrap pattern file •Anti-spam rules •The anti-spam engine The PhishTrap pattern file, anti-spam rules, and anti-spam engine are active and updated only if you have purchased the Plus License. To find out whether you have the most current components installed, go to the Manual Update window and check the component status. Note The CSC SSM software does not support rollback of these updates for either the scan engine or the pattern file. Manual Update To view component status or update components manually, perform these steps: Step 1 Choose Updates > Manual. The Manual Update window displays (shown in Figure 5-1). Figure 5-1 Manual Update Window To view the component status, check the Available column on the right side of the window. If a more current component is available, the component version displays in red. Step 2 Click Update to download the latest pattern file version. A progress message displays while the new pattern is downloading. When the update is complete, the Manual Update window refreshes, showing that the latest update has been applied. See the online help for more information about this feature. Scheduled Update You can configure component updates to occur as frequently as every 15 minutes. To schedule component updates, perform the following steps: Step 1 Choose Updates > Scheduled to view the Scheduled Update window. Step 2 Choose the components to be updated according to the update schedule. Step 3 Make the desired schedule changes. Step 4 Click Save to update the configuration. See the online help for more information about this feature. Configuring Proxy Settings If you are using a proxy server to communicate with the Trend Micro ActiveUpdate server, you specified a proxy server IP and port during installation. To configure proxy settings, perform the following steps: Step 1 To view current proxy server settings on the Proxy Settings window (shown in Figure 5-2), choose Update > Proxy Settings. Figure 5-2 Proxy Settings Window Step 2 If you set up a proxy server during installation, the HTTP proxy protocol is configured by default. To change the proxy protocol to SOCKS4, click the SOCKS4 radio button. Step 3 If needed, add an optional proxy authentication username and password in the User ID and Password fields. Step 4 Click Save to update the configuration when you are finished. See the online help for more information about this feature. Configuring System Log Message Settings After installation, log data such as virus and spyware or grayware detection is saved temporarily. To store log data, you must configure at least one syslog server. You may configure up to three syslog servers. To configure system log messages, perform the following steps: Step 1 Choose Logs > Settings to display the Log Settings window. Step 2 Configure at least one syslog server. Check Enable, and then enter the syslog server IP address, port, and preferred protocol (either UDP or TCP). See the online help for more information about this feature. By default, detected security risks are logged. You can turn off logging for features you are not using. For example, you can turn off URL blocking or anti-phishing and URL filtering if you did not purchase the Plus License. For information about choosing and viewing log data, see the "Viewing Log Data" section. System log messages are also viewable from the ASDM. For more information, see the ASDM online help. Viewing Log Data After you have installed and configured Trend Micro InterScan for Cisco CSC SSM, security risks are being detected and acted upon according to the settings you chose for each type of risk. These events are recorded in the logs. To conserve system resources, you can purge these logs periodically. To view log data, perform the following steps: Step 1 Choose Logs > Query to display the Log Query window. Step 2 Specify the inquiry parameters and click Display Log to view the log. See the online help for more information about this feature. Figure 5-3 shows an example of the spyware and grayware log. Figure 5-3 Spyware/Grayware Log Logging of Scanning Parameter Exceptions Exceptions to the following scanning parameters, which are specified on the Target tab, display in the Virus/Malware log. For SMTP, POP3, HTTP and FTP, the exceptions are as follows: •Compressed files that when decompressed, exceed the specified file count limit. •Compressed files that when decompressed, exceed the specified file size limit. •Compressed files that exceed the number of layers of compression limit. •Compressed files that exceed the compression ratio limit (the size of the decompressed files is "x" times the size of the compressed file). •Password-protected files (if configured for deletion). For HTTP and FTP only, the exceptions are as follows: •Files or downloads that are too large for scanning. In place of the virus or malware name, these files are identified with messages similar to the following: Decompressed_File_Size_Exceeded Large_File_Scanning_Limit_Exceeded
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks