Friday 10 November 2017

Clearing cache for cisco amp

Some times you might get a false positive. Cisco will update their signatures but you might have one in your cache. To make the alert go away you have to clear cache update and scan again, it should come up clean.


Removal of the FireAMP Cache and History Files on Windows
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118565-technote-fireamp-00.html#anc1


Clear Cache firepower FMC/sensor

Follow following steps to clear cache on DC and Sensor (from CSCuu81183):

Management Center:
SSH into the Management Center
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.dc
# pmtool enablebyid SFDataCorrelator

Firepower Device:
SSH into the Firepower device
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.sensor
# pmtool enablebyid SFDataCorrelator
# pmtool restartbytype snort
# pmtool disablebytype snort
# cd /var/sf/detection-engines/<uuid> (you can find the UUID for this step by running de_info.pl and copying the UUID for the Primary Detection Engine)
# rm -rf instance?*/malw_seed*
# pmtool enablebytype snort

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)