Removal of the FireAMP Cache and History Files on Windows

Introduction

This document provides some scenarios that require a removal of database files in FireAMP for Endpoints and describes a proper procedure to remove them when necessary. The FireAMP for Endpoints maintains a record of its recent file detections and dispositions in database files. In certain cases, a Cisco Support Engineer might ask you to remove some of the database files in order to troubleshoot an issue.

Warning: You can remove a database file only if instructed by Cisco Technical Support.

Database Files for Cache and History

Purpose

The cache database files maintain the known dispositions for files. The history database files track all of the FireAMP file detections, along with source file names and SHA256 values.

When you add a block list to a policy and update the connector, the behavior for a given file does not change immediately. This is because the cache has already identified that the file is not malicious. As such, it will not be changed or overridden by your block list. The disposition changes when the cache is expired per the time in your policy and a new lookup is performed - first against your lists and subsequently against the cloud.

Reasons for Removal

If the history database and cache database files are removed from a directory, they are recreated fresh when the FireAMP service restarts. In certain cases it might be necessary to remove these files from the FireAMP directory. For example, if you want to test a simple custom detection or an application block list for a given file.

It is possible that a database could become corrupt, which renders you unable to open or view the detections in a database. Alternatively, if the database is corrupt on a system it can cause errors within the FireAMP Connector service such as the inability to start the connector or degradation of overall system performance. In these instances you might want to clear the history files from the connector so that you can avoid performance related issues from corruption and be able to capture new logs for diagnosis.

Identify the Database Files

On Microsoft Windows, these files are typically located at C:\Program Files\Sourcefire\fireAMP or C:\Program Files\Cisco\AMP.

The name of the cache database files are:

cache.db
cache.db-shm
cache.db-wal

The name of the history database files are:

history.db
historyex.db
historyex.db-shm
historyex.db-wal

This screenshot shows the files on Windows File Explorer:

Procedure to Remove Database Files

Step 1: Stop the FireAMP Connector Service

You can stop the FireAMP Connector service various ways:

• User Interface (UI) of the FireAMP Connector service
• Windows Services console
• Administrator's command prompt

User Interface

Note: If you have connector protection enabled you must use the UI in order to stop the FireAMP Connector service.

1. Open the UI from the tray and click Settings.
2. Scroll to the bottom and expand FireAMP Connector Settings.
3. In the Password field, enter the connector protection password. Click Stop Service.

   

Services Console

Note: In order to stop and start services in the Services console you need Administrator privileges.

In order to stop the FireAMP Connector service from the Services console, complete these steps:

1. Navigate to the Start Menu.
   
2. Enter services.msc and press Enter. The Services console opens.
3. Select the FireAMP Connector service and right-click the service name.
4. Choose Stop in order to stop the service.

   

Command Prompt

In order to stop the FireAMP Connector service from an administrator's command prompt, complete these steps:

1. Navigate to the Start Menu.
2. Enter cmd.exe and press Enter. A command prompt window opens.
3. Enter the net stop immunetprotect command. If you have version 5.0.1 or later, enter the wmic service where "name like 'immunetprotect%'" call startservice command instead.

   This screenshot shows an example of the service stopped successfully:

   

Step 2: Delete the Required Database Files

Cache Database Files

Once the service is stopped you can delete these three cache files:

Warning: If you do not delete all of the related cache database files it can create caching issues with the recreated database. As such, the service might fail to start or you might experience degraded performance from the service.

cache.db
cache.db-shm
cache.db-wal

History Database Files

Once the service is stopped, remove these history database files:

Warning: If you do not delete all of the related history database files it can create caching issues with the recreated database. As such, the service might fail to start or you might experience degraded performance from the service.

history.db
historyex.db
historyex.db-shm
historyex.db-wal

Step 3: Start the FireAMP Connector Service

In order to start the FireAMP Connector service, complete these steps:

1. Navigate to the Start Menu.
2. Enter services.msc and press Enter. The Services console opens.
3. Choose the FireAMP Connector service and right-click the service name.
4. Choose Start in order to start the service.

   

   Alternatively, on the Administrator's command prompt you can enter the net start immunetprotect command. If you have version 5.0.1 or later, enter the wmic service where "name like 'immunetprotect%'" call startservice command instead.

   This screenshot shows an example of the service started successfully:

   

   After you restart the services a new set of database files is created. This should now provide you with a fresh instance of the FireAMP Connector with current white lists, block lists, exclusions, and so on.