Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Trend Micro has problems with their activeupdate server

From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Thu, 18 Mar 2004 13:16:46 +0100
Hi,
sure interesting for administrators of Trend Micro Interscan Viruswall or IMSS.
In general, pattern update server should be very reliable, especially in case of need for pattern updates because of a new worm is spreading...
Since longer we have problem on a customers installation with reliability of the pattern update process.
E.g. on Interscan Virus Wall Linux 3.8 "prescan.cgi" (triggered by cron) reports "error 28". This error is caused by a missing file on the Akamai servers (TM is using them for distributing updates): 

http://isux-t.activeupdate.trendmicro.com/activeupdate/server.ini
sometimes returns: HTTP/1.0 404 Not Found
BTW: another administrator (using IMSS) reports me that HTTP error 500, 502 and 504 also occurs sometimes. 

isux-t.activeupdate.trendmicro.com is directed to an Akamai server:
isux-t.activeupdate.trendmicro.com. 496 IN CNAME trendmicro.georedirector.akadns.net.
BTW: for ISVW, if you want to retrieve information, why your update process fails, enable debugging: 

 1. Edit aucfg.ini
 2. Look for [debug] then set the following parameters
     level=1
     log_mode=2

Debug file /etc/iscan/Au_log/tmudump.txt contain the full HTTP header lines
of request and reply.
After a long time of discussion with the support of TM (they longer wanted to convince me that the problem is on client side...I didn't believed that after I looked in the debug log for the first time), I finally got a *clear answer* from Trend Micro support, in short they told me, it can happen that an update fails with HTTP error 404 (sure, the debug log tells this also...).
Support told me also that this can happen if many new patterns are published in short time range, which overloads (?) the activeupdate server.
Mho: Either Akamai has a synchronisation problem here (does anybody know how they sync) or TM delete the file, Akamai syncs (which removes the file temporary), TM pushes the file again, Akamai syncs again.
Support told me also, as a workaround I should reduce the cycles for pattern check to e.g. each 10 minutes (easy to do by modifiying the crontab entry).
Mho: if everyone does this, the pattern server will have next problems, namely request overloads...
Looks like this problem can't be really solved shortly by TM, so users of at least the Linux/Unix products of Trend Micro running pattern update cycles per server have to live with this issue for now. 


Any comments or same experience on that issue by anyone else?
BTW: common known is update server overload problems to full hour times (many Unix/Linux boxes are synced via NTP), any admin should replace "0" in crontab by a "random" value between "1" and "59" for process "prescan.cgi". 

File "/var/spool/cron/root"
eg.
11 * * * * /etc/iscan/prescan.cgi
instead of
0 * * * * /etc/iscan/prescan.cgi


        Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer () aerasec de
Germany                                Internet: http://www.aerasec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: