疑難排解警示訊息-無法連線檔案信譽服務

簡介

本文檔介紹歸因於已啟用高級惡意軟體防護(AMP)的思科郵件安全裝置(ESA)的警報，在該裝置下，服務無法通過埠32137或443進行檔案信譽通訊。

AMP收到「The File Reputation service is not reachable」錯誤

AMP發佈用於郵件安全的AsyncOS版本8.5.5中的ESA。在ESA上授權並啟用AMP後，管理員會收到以下訊息：

The Warning message is:

The File Reputation service is not reachable.

Last message occurred 2 times between Tue Sep 10 14:15:14 2024 and Tue Sep 10 14:16:23 2024.

Version: 15.5.1-055
Serial Number: 123A82F6780XXX9E1E10-XXX5DBEFCXXX
Timestamp: 10 Sep 2024 14:19:00 -0500

AsyncOS 14.x或更低版本

AMP服務已啟用，但可能無法通過檔案信譽的埠32137在網路上通訊。

在這種情況下，ESA管理員可以選擇透過埠443進行檔案信譽通訊。

為此，請從CLI運行ampconfig > advanced，並確保為Do you want to enable SSL communication (port 443) for file reputation？ 選擇Y。[N]>：

(Cluster example.com)> ampconfig

Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
- CLUSTERSET - Set how advanced malware protection is configured in a cluster.
- CLUSTERSHOW - Display how advanced malware protection is configured in a cluster.
[]> advanced

Enter cloud query timeout?
[15]>

Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.cisco.com)
2. AMERICAS(Legacy) (cloud-sa.amp.sourcefire.com)
3. EUROPE (cloud-sa.eu.amp.cisco.com)
4. APJC (cloud-sa.apjc.amp.cisco.com)
5. Private reputation cloud
[1]>

Do you want use the recommended analysis threshold from cloud service? [Y]>

Enter heartbeat interval?
[15]>

Do you want to enable SSL communication (port 443) for file reputation? [N]> Y

Proxy server detail:
Server : 
Port : 
User :

Do you want to change proxy detail [N]>

Do you want to suppress the verdict update alerts for all messages that are not delivered to the recipient? [N]>

Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. EUROPE (https://panacea.threatgrid.eu)
3. Private analysis cloud
[1]>

如果使用GUI，請選擇Security Services > File Reputation and Analysis > Edit Global Settings > Advanced（下拉選單），並確保已選中Use SSL覈取方塊（如下所示）：

提交對配置所做的所有更改。

最後，檢視當前AMP日誌，檢視服務和連線成功或失敗。您可以使用tail amp從CLI中完成此操作。

對ampconfig > advanced進行更改之前，您將在AMP日誌中看到以下內容：

Mon Jan 26 10:11:16 2015 Warning: amp The File Reputation service in the cloud 
is unreachable.
Mon Jan 26 10:12:15 2015 Warning: amp The File Reputation service in the cloud 
is unreachable.
Mon Jan 26 10:13:15 2015 Warning: amp The File Reputation service in the cloud 
is unreachable.

對ampconfig > advanced進行更改後，您將在AMP日誌中看到此內容：

Mon Jan 26 10:19:19 2015 Info: amp stunnel process started pid [3725]
Mon Jan 26 10:19:22 2015 Info: amp The File Reputation service in the cloud 
is reachable.
Mon Jan 26 10:19:22 2015 Info: amp File reputation service initialized 
successfully
Mon Jan 26 10:19:22 2015 Info: amp File Analysis service initialized 
successfully
Mon Jan 26 10:19:23 2015 Info: amp The File Analysis server is reachable
Mon Jan 26 10:20:24 2015 Info: amp File reputation query initiating. File Name = 
'amp_watchdog.txt', MID = 0, File Size = 12 bytes, File Type = text/plain
Mon Jan 26 10:20:24 2015 Info: amp Response received for file reputation query 
from Cloud. File Name = 'amp_watchdog.txt', MID = 0, Disposition = file unknown, 
Malware = None, Reputation Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977
fa12c32d13bfbd78bbe27e95b245f82, upload_action = 1

上例中顯示的amp_watchdog.txt檔案應每10分鐘運行一次，並在AMP日誌中進行跟蹤。此檔案是AMP的keep-alive的一部分。

在AMP日誌中針對檔案信譽和檔案分析配置的檔案型別的消息執行常規查詢類似於以下內容：

Wed Jan 14 15:33:01 2015 Info: File reputation query initiating. File Name = 
'securedoc_20150112T114401.html', MID = 703, File Size = 108769 bytes, File 
Type = text/html
Wed Jan 14 15:33:02 2015 Info: Response received for file reputation query from 
Cloud. File Name = 'securedoc_20150112T114401.html', MID = 703, Disposition = file 
unknown, Malware = None, Reputation Score = 0, sha256 = c1afd8efe4eeb4e04551a8a0f5
533d80d4bec0205553465e997f9c672983346f, upload_action = 1

管理員可利用此記錄資訊來關聯郵件記錄中的訊息ID (MID)。

其他疑難排解

檢視防火牆和網路設定，確保為以下對象打開SSL通訊：

您可以透過Telnet測試從ESA到443雲服務的基本連線，以確保裝置可以成功訪問AMP服務、檔案信譽和檔案分析。

注意：檔案信譽和檔案分析的地址在CLI上使用ampconfig > advanced配置，或者在GUI上使用Security Services > File Reputation and Analysis > Edit Global Settings > Advanced（下拉選單）配置。

注意：如果在ESA和檔案信譽伺服器之間使用隧道代理，您可能需要啟用「放寬隧道代理的證書驗證」選項。 如果隧道代理伺服器的證書不是由ESA信任的根授權機構簽署，則提供此選項以跳過標準證書驗證。例如，如果在受信任的內部隧道代理伺服器上使用自簽名證書，請選擇此選項。

檔案信譽示例：

10.0.0-125.local> telnet cloud-sa.amp.sourcefire.com 443

Trying 23.21.199.158...
Connected to ec2-23-21-199-158.compute-1.amazonaws.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

檔案分析範例：

10.0.0-125.local> telnet panacea.threatgrid.com 443

Trying 69.55.5.244...
Connected to 69.55.5.244.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

如果ESA可以telnet到檔案信譽伺服器，並且沒有解密連線的上游代理，則裝置可能需要向Threat Grid重新註冊。在ESA CLI上，有一個隱藏命令：

10.0.0-125.local> diagnostic

Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- DISK_USAGE - Check Disk Usage.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
- SERVICES - Service Utilities.
[]> ampregister

AMP registration initiated.

AsyncOS 15.x或更高版本

確保選擇了正確的檔案信譽伺服器。這也可以在GUI中完成，方法是導航到安全服務>檔案信譽和分析>編輯全局設定>檔案信譽高級設定>檔案信譽伺服器。

注意：有關配置防火牆的主機名和埠資訊，請檢視此處的使用手冊中的「防火牆資訊」部分。 

(Cluster example.com)> ampconfig

File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet


Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
- CLUSTERSET - Set how advanced malware protection is configured in a cluster.
- CLUSTERSHOW - Display how advanced malware protection is configured in a cluster.
[]> advanced

Enter cloud query timeout?
[20]>

Choose a file reputation server:
1. US Cloud
2. EU Cloud
3. APJC Cloud
4. Private reputation cloud
[1]>

Do you want use the recommended analysis threshold from cloud service? [Y]>

Enter heartbeat interval?
[15]>

Proxy server detail:
Server : 
Port : 
User : 
Passphrase:

Do you want to change proxy detail [N]>

Do you want to suppress the verdict update alerts for all messages that are not delivered to the recipient? [Y]>

Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. AUSTRALIA (https://panacea.threatgrid.com.au)
3. CANADA (https://panacea.threatgrid.ca)
4. EUROPE (https://panacea.threatgrid.eu)
5. Private analysis cloud
[1]>

Use Existing File Reputation Proxy? [N]>

Proxy server detail:
Server : 
Port : 
User : 
Password :

Do you want to change proxy detail [N]>

File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet

相關資訊

• ESA進階惡意軟體防護(AMP)測試
• ESA使用者指南
• ESA常見問題：什麼是消息ID (MID)、注入連線ID (ICID)或交付連線ID (DCID)？
• 如何搜尋和檢視ESA上的郵件日誌？
• 技術支援與文件 - Cisco Systems