Updating Components

Table Of Contents

Updating Components

About Updating

Manual and Automatic Updates

Update Verification

Update Sources

Proxy Server Connection

Downloading Components

Configuring Scheduled Download

Scheduled Download Behavior

Downloading Manually

Modifying the Download Source

Configuring Proxy Settings for Downloads

Creating an Alternate Update Source

Minimum System Requirements for an Alternate Update Source Server

Downloading the server.ini File

Setting up the Alternate Update Source Server

Updating the Alternate Update Source Server

Deploying Components

Enabling Automatic Deployment

Deploying Manually

Updating Components

This chapter explains how to download and deploy the components you need to implement your incident-control strategy. It contains the following sections:

• About Updating

• Downloading Components

• Creating an Alternate Update Source

• Deploying Components

About Updating

You must periodically update Cisco ICS components to help protect the network from the latest threats. Updating refers to two actions:

•Downloading—The Cisco ICS server pulls components from the update source (by default, the Trend Micro ActiveUpdate server).

•Deploying—The Cisco ICS server pushes components to network devices and the DCS server.

For an outline of the components Cisco ICS uses, see About Cisco ICS Components, page 1-3.

This section describes updates and contains the following topics:

• Manual and Automatic Updates

• Update Verification

• Update Sources

• Proxy Server Connection

Manual and Automatic Updates

Trend Micro typically releases updated components at least once daily, and more often when a new threat is discovered. You can download and deploy components manually on demand through the Cisco ICS web console. However, we do not recommend this because it would require the Cisco ICS administrator to update the components at least once a day to keep antivirus protection current.

To relieve the Cisco ICS administrator of this task, configure a download schedule and enable automatic deployment. You can still update manually at any time.

Note After installation is complete, Cisco ICS immediately downloads the latest components from the default update source using HTTPS. This one-time, post-installation download is enabled by default and cannot be disabled.

Scheduled downloads for OPSigs and DCS components follow the outbreak management task download schedule when outbreak management tasks are active. For more information, see Scheduled Download Behavior.

Update Verification

Periodically verify component download and deployment by viewing the Outbreak Management Task Summary window or the event log. For more information, see Viewing a Summary of All Outbreak Management Tasks, page 6-10, and Event Logs, page 10-5.

Update Sources

By default, Cisco ICS downloads components from the Trend Micro ActiveUpdate server; however, you can select another update source. For more information, see Modifying the Download Source.

Proxy Server Connection

If the network has a proxy server, you must configure the server information on the Update Download Source window to successfully connect with the download source. For more information, see Modifying the Download Source.

Downloading Components

To automate the task of keeping the Cisco ICS server components current, configure scheduled download. By default, scheduled download is enabled and configured to poll the update source every 5 minutes for a new OPACL and every 12 hours for other components. If a new version of a component is available, Cisco ICS downloads the new version. Alternatively, to avoid waiting for the next scheduled download, you can download the components manually at any time.

This section describes how to configure scheduled downloads and contains the following topics:

• Configuring Scheduled Download

• Scheduled Download Behavior

• Downloading Manually

• Modifying the Download Source

Configuring Scheduled Download

Tip The default selections provide adequate protection without overburdening the network with excessive downloads.

To configure scheduled downloads, follow these steps:

Step 1 Choose Updates > Scheduled Download.

The Scheduled Download window appears, showing two schedules:

•Outbreak Management Task Polling Schedule—Downloads the outbreak management task file, which includes the latest OPACL configurations for all threats.

•OPSig Polling Schedule—Downloads OPSig files and the files that DCS uses.

Note Damage Cleanup and spyware components are available only when a DCS server registers to the Cisco ICS server. You cannot download DCS components separate from the OPSig.

Step 2 Ensure that the check boxes for the components you want to download are checked.

Step 3 For each schedule, click one of the following and choose the frequency for downloading:

•Minute—every { } minutes.

•Hour—every { } hours.

•Day—every { } days at the selected time of day.

•Week, on—once per week on the selected day and time.

Step 4 Click Save.

Download schedules differ when one or more outbreak management tasks are active. For more information, see Scheduled Download Behavior.

Scheduled Download Behavior

Scheduled download behavior for OPSigs and DCS components differs when outbreak management tasks are active and the required OPSig is not yet deployed.

•Normal download scheduling—Both outbreak management task downloads and OPSig/DCS component downloads take place according to their respective schedules under either of the following circumstances:

–No outbreak management tasks are active.

–One or more tasks are active and Cisco ICS has already successfully deployed the OPSigs required to address the associated threats.

•Outbreak management task download schedule usage—Cisco ICS ignores the time interval for OPSig/DCS component scheduled downloads when both of the following are true:

–One or more tasks are active.

–Cisco ICS has not yet successfully deployed the OPSigs required to address the associated threat.

In this situation, Cisco ICS downloads both the outbreak management task, including the latest OPACL, and OPSig/DCS components according to the outbreak management task polling schedule.

When Cisco ICS downloads the required OPSig for the outbreak management task, the OPSig/DCS component polling schedule interval resumes precedence for OPSigs and DCS components. Outbreak management task downloads, which include the latest OPACL file, continue to follow the OPACL download schedule.

Downloading Manually

To download an update manually, follow these steps:

Step 1 Choose Updates > Manual Download.

Step 2 Select the components to download. To select all components, check the Components check box.

Step 3 Click Download.

The Manual Download Progress window appears, showing the progress of the download and the result.

Step 4 Click Back to return to the Manual Download window.

Modifying the Download Source

By default, Cisco ICS downloads components from the Trend Micro ActiveUpdate server; however, other update sources are also allowed. To successfully connect with the download source when a proxy server is on the network, you must configure the proxy server information on the Update Download Source window.

Note By default, Cisco ICS uses Secure HTTP (HTTPS) when connecting to the download source for enhanced security.

To modify the download source, follow these steps:

Step 1 Choose Updates > Download Source.

Step 2 Under Download Source, click one of the following options:

•Trend Micro ActiveUpdate Server—Choose the connection protocol (HTTP or HTTPS).

•Other update source—Enter the full address of the source URL. For example:

http://www.ciscoicsupdatesource.com/activeupdate
https://www.ciscoicsupdatesource.com/activeupdate

Step 3 Click Save.

Configuring Proxy Settings for Downloads

If the network has a proxy server, you must configure the server information on the Update Download Source window to successfully connect with the download source.

Step 1 Choose Updates > Download Source.

Step 2 Under Proxy Settings, check the Use a proxy server check box.

Step 3 Configure the following:

•Proxy type—The protocol the proxy server uses (HTTP Proxy or SOCKS version 4/5).

•Server name or IP address—The domain name or the IP address of the proxy server.

•Port—The port the Cisco ICS server uses to connect to the proxy server.

•User name and Password—The login credentials.

Step 4 Click Save.

Creating an Alternate Update Source

By default, Cisco ICS downloads components from the Trend Micro ActiveUpdate server, which is the only source for new OPACLs, OPSigs, and DCS components. However, you might want to allow Cisco ICS servers to download components from an alternate update source located on your network in certain situations, such as the following:

•Your Cisco ICS server is not connected to the Internet.

•The connection between your Cisco ICS server and the Internet is not reliable.

•The bandwidth between your Cisco ICS server and the Internet is restricted.

You can set up and maintain an alternate update source server anywhere on your network that you can access from your Cisco ICS server. However, to keep the Cisco ICS components up-to-date, you must regularly download a configuration file and all the Cisco ICS components from the Trend Micro ActiveUpdate server to the alternate update source sever.

If scheduled download is enabled on Cisco ICS, the Cisco ICS server automatically discovers and downloads the new components from the alternate update source. You can also manually download the components.

This section describes how to create an alternate update source and contains the following topics:

• Minimum System Requirements for an Alternate Update Source Server

• Downloading the server.ini File

• Setting up the Alternate Update Source Server

• Updating the Alternate Update Source Server

Minimum System Requirements for an Alternate Update Source Server

The following versions or later are required for any computer you want to serve as an alternate update source server.

•Operating system (one of the following)

–Windows 2000

–Redhat Linux 6.2

•Web server (one of the following)

–IIS: Windows 2000 IIS 5.0 or Windows 2003 IIS 6.0

–Apache: 2.0

•Network Protocol

–TCP/IP

•Hardware

–586 Intel Pentium processor or equivalent

–256 MB of RAM

–4 GB of disk space

Downloading the server.ini File

All information related to Cisco ICS components is contained in a configuration file named server.ini. Trend Micro updates this file every time a new component is ready. When you are setting up and updating your alternate update source server, download server.ini from the Trend Micro website at the following location: http://cics-p.activeupdate.trendmicro.com/activeupdate.

Setting up the Alternate Update Source Server

This section explains how to set up an alternate update source server on a computer that meets the minimum system requirements.

To set up the alternate update source server, follow these steps:

Step 1 Create a shared directory with two subdirectories named PATTERN and ENGINE. The PATTERN directory holds the OPACL, OPSig, Damage Cleanup template, and Spyware pattern files. The ENGINE directory holds the Damage Cleanup engine.

Step 2 Map the shared directory to your web server's virtual directory. See your web server documentation for details.

Step 3 Download the server.ini file:

http://cics-p.activeupdate.trendmicro.com/activeupdate

And then save the file in the shared directory that you created.

Step 4 Open the server.ini file in a text editor.

Step 5 Obtain the filenames of the components to download. The component filenames immediately follow a string which identifies each component:

•OPACL—Search for the string P.10000040=pattern/.

•OPSig—Search for the string P.10000004=pattern/.

•Damage Cleanup pattern—Search for the string P.800=pattern/. The filename after this string is a zip file that contains a single pattern file. Download this file.

The pattern file is divided into several subfiles. You also need to search for each of the subfiles starting with the string P.800.Merge.1/ and ending with P.800.Merge.x/, where x is the last entry in the list. Download all of these subfiles in addition to the zip file.

•Spyware pattern—Search for the string P.1000000=pattern/. The filename after this string is a zip file that contains a single pattern file. Download this file.

The pattern file is divided into several subfiles. You also need to search for each of the subfiles starting with the string P.1000000.Merge.1/ and ending with P.1000000.Merge.x/, where x is the last entry in the list. Download all of these subfiles in addition to the zip file.

•Damage Cleanup engine—Search for the string E.1000000=TSC,engine/.

For example, the filename of the OPACL in a server.ini file with the entry P.10000040=pattern/opacl0.3.zip,204,23039, is opacl0.3.zip.

Step 6 Download each component file:

a. Enter the name of a component file at the end of the URL you used to access the server.ini file. For example, if the filename of the OPACL that you want to download is opacl0.3.zip, enter the following URL in your web browser: http://cics-p.activeupdate.trendmicro.com/pattern/activeupdate/opacl.0.3.zip

A prompt appears.

b. Click Save to save the file to the correct subdirectory in the shared directory you created. Save the Damage Cleanup engine in the ENGINE subfolder and the other components in the PATTERN subfolder.

Step 7 On the Cisco ICS server which will use the new alternate update source, modify the download source.

Updating the Alternate Update Source Server

To keep your threat-protection current, update the alternate update source every 2 to 3 days. A daily update is the most optimal. The update process is identical to the process that you performed to set up the alternate update source server.

To verify that new components are available before you perform the update, download the server.ini file and open it in a text editor. Compare the filenames of the components to see which files Trend Micro changed. Download any component file with an updated filename.

Deploying Components

You can automate the task of updating network devices and DCS servers by enabling automatic deployment. Alternatively, to avoid waiting for the next automatic deployment, you can manually deploy the OPSig, Damage Cleanup engine and template, and the spyware pattern files on the Cisco ICS server at any time.

Note Damage Cleanup and spyware components are available only when a DCS server registers with the Cisco ICS server.

This section describes how to deploy components and contains the following topics:

• Enabling Automatic Deployment

• Deploying Manually

Enabling Automatic Deployment

Cisco ICS can automatically deploy the OPSig, Damage Cleanup engine and template, and the spyware cleanup pattern in the following situations:

•After you download an updated component.

•After you add a new device.

•If the status of any device changes to online.

Note Automatic deployment is enabled by default.

To enable automatic deployment, follow these steps:

Step 1 Choose Updates > Deployment Settings.

Step 2 Click the Automatically deploy components under these circumstances radio button.

Step 3 Click Save.

Deploying Manually

To deploy a device manually, follow these steps:

Step 1 Choose Devices > Device List.

The Device List window appears.

Step 2 Choose the devices to update.

Note When you added IPS devices, the username must have administrator or root view account access for deployment to succeed.

Step 3 Click Deploy.

A confirmation message appears.

Step 4 Click OK.

Note If a device is offline when you deploy manually, it cannot receive the updated components. If you enable automatic deployment, the Cisco ICS server automatically deploys the components immediately after the device comes back online. This option is enabled by default.