HOWTO: How do I check that SEG is updating correctly?

Expand / Collapse
 

HOWTO: How do I check that SEG is updating correctly?


This article applies to:

  • Trustwave SEG/MailMarshal SMTP

Question:

  • How do I check that web updates are working?
  • Is SpamCensor up to date?
  • Is SpamProfiler up to date?
  • Is the Blended Threats Module (BTM) up to date?
  • Are virus signatures up to date?
  • Is my IP Reputation Service license up to date?
  • What websites must be allowed through a firewall for updates to work?

Information:

To check that the SEG updates are working, see the relevant sections below.
Note that the URLs may map to dynamic IP addresses. It is not possible to give a definitive list of IP addresses.

  • For troubleshooting notes see the end of this article

All update functions - Certificate issues

If service logs show errors related to SSL certificates, your server may be lacking a required SSL Root Certificate (CA Certificate) needed to verify the server certificate. Also, using a proxy server with HTTPS content inspection could cause issues.
  • Sample error:
    SSL certificate problem, verify that the CA cert is OK.
    Details: error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  • For a resolution, see Trustwave Knowledge Base article Q13703.
  • Note also that you must allow HTTP access to Certificate Revocation List servers so that SSL certificates can be validated.

Spam Censor

[Updated by the MailMarshal Array Manager service]

The Spam Censor Updates run under the Array Manager Service on the Array Manager server, and they require HTTP and HTTPS access.  To set a proxy and proxy logon information if required, you can use the Configurator (MailMarshal Properties > Internet Access).

Required URLs are:

  • HTTP:://www.marshal.com
  • HTTPS://www.marshal.com

If updates are not succeeding, particularly with a proxy, you may need to run the Array Manager service using a Windows account with administrative privilege and proxy permissions.  

To check that updates are successful, see the Configurator (MailMarshal Properties > Automatic Updates).   You can check that the SpamCensor updates are current by clicking Check for Updates Now.

See also:

  • Q11718, Why do SpamCensor updates fail?
  • Q11998, 403 Access Forbidden: Product Key or Maintenance is not current.
  • Q14242, 410 Updates are no longer provided for this product version.
    • Updates are no longer provided for most MailMarshal SMTP versions below 6.2.2.

SpamProfiler

This information applies to

  • SEG 7.2.3 and below
  • SEG 7.5.8 and above
  • SEG 8.X
  • Version 7.3.x and 7.5.x with hotfix.

[Updated by MailMarshal Receiver (6.5 and below); MailMarshal SpamProfiler Process (6.7 and above)]

The Array Manager checks daily to verify licensing of this service. The required URL is https://mailmarshal.licensing.marshal.com/

  • You can check licensing activity by searching the MMArrayManager log (located in the \Logging folder of the installation).

SpamProfiler updates are retrieved by services running on the MailMarshal processing servers (in an array, each server updates separately). To set a proxy and proxy logon information if required, you can use the Configurator (MailMarshal Properties > Internet Access) to set "default access for nodes". You can also set different proxy details for each node.

Required URLs are: 

  • HTTP://sigupdates.marshal.com
  • HTTPS://sigupdates.marshal.com
  • HTTP://lvc.cloudmark.com/
  • HTTP://tracks.cloudmark.com/
  • HTTPS://tracks.cloudmark.com/
  • HTTPS access to the following network range: 208.83.136.0/22

If updates are not succeeding, particularly with a proxy, you may need to run the Receiver or SpamProfiler service using a Windows account with administrative privilege and proxy permissions. 

You can check that SpamProfiler is updating by viewing the MMReceiver or MMSpamProfiler log (located in the \logging folder of the installation).

You should see an entry like the following when you first enable spam profiler:

[MICROUPDATE] Successful auto configuration download from network (new serial xx.xx).

and subsequent updates like:

[MICROUPDATE] Successful signatures incremental download from network (new serial xxxxxxx.xxxxxxx)

SpamProfiler (Deprecated)

This information applies to a deprecated version of SpamProfiler originally installed with SEG 7.3 through 7.5.7

Note: As of July 2017, this version of SpamProfiler MUST be replaced with the above version. If it has not been replaced, expect to see errors as below when next the services are restarted. Customers with maintenance see the SEG product upgrade page for a hotfix or new released version that implements the SpamProfiler update.

You can check that SpamProfiler is connecting by viewing the MMReceiver  log.

  • If SpamProfiler cannot connect you will see log entries like the following for affected messages:
    • SpamProfiler query error: Request failed: Response code: 500 returned.
    • SpamProfiler Outbound service is not ready. Error: Request failed: Failed to connect to 127.0.0.1 port 19009: Connection refused
    • SpamProfiler Inbound service is not ready. Error: Request failed: Failed to connect to 127.0.0.1 port 19008: Connection refused
  • Note that the cause of the "service not ready" message is that the SpamProfiler process cannot connect to the external service. These messages are not caused by a block on the local port 19008 or 19009.
  • If SpamProfiler can connect you will see log entries starting Inbound SpamProfiler RefID

URL Categorizer Service (Version 7.5 and above)

[Check performed by the MailMarshal Engine service]

The URL Categorizer check requests are performed in real time by the Engine service on each SEG processing server. To set a proxy and proxy logon information if required, you can use the Configurator (Trustwave SEG Properties > Internet Access) to set "default access for nodes". You can also set different proxy details for each node.

The default required URLs are: 

  • HTTP://tw-seg-urlcategorizer.cloudapp.net (Located in Americas region)
    • also known as urlcategorizer.seg.trustwave.com
  • HTTP://tw-seg-urlcategorizer-au.cloudapp.net/ (Located in APAC region)

Note that the SEG installation will select an instance based on geography and latency. All installations should have access to both instances.
 
You can choose to use HTTPS for these requests. See article Q20362.

Blended Threat Service (Version 7.1 and above)

[Licensing update by Array Manager service]

The Array Manager checks daily to verify licensing of this service.

The required URL is https://mailmarshal.licensing.marshal.com

  • Note: ALL installations of MailMarshal/SEG 7.1 and above perform this check. It is not limited to installations licensed for the Blended Threats service. Installations without the service still must check in order to determine whether a license has been added.
  • You can check licensing activity by searching the MMArrayManager log (located in the \logging folder of the installation).
  • In version 7.1, search for the string BTM Provisioning
  • In version 7.2 and above, search for the string Licensing

Testing and validation of URLs is performed in real time when the user clicks the URL.

  • URLs are checked through web request to the site scanmail.trustwave.com (from the user's browser)
  • Click statistics are retrieved through web request to the site stats.scanmail.trustwave.com (from the Array Manager)

Blended Threats Module (versions below 7.1)

[Updated by the MailMarshal Engine service]

Note that in MailMarshal SEG version 7.1 and above the BTM uses a different method and there is no local database to update. See the section above.

The BTM updates are retrieved by the Engine service on the MailMarshal processing servers (in an array, each server updates separately). To set a proxy and proxy logon information if required, you can use the Configurator (MailMarshal Properties > Internet Access) to set "default access for nodes". You can also set different proxy details for each node.

Required URLs are: 

  • HTTP://btmupdates.marshal.com
  • HTTPS://btmupdates.marshal.com

If updates for any server are more than 15 minutes out of date, the Console or Configurator displays this information.

If updates are not succeeding, particularly with a proxy, and particularly with MailMarshal 6.7, you may need to run the Engine service using a Windows account with administrative privilege and proxy permissions.

The MailMarshal Engine log reports the Blended Threats Module downloads. Successful downloads will be logged as follows:

BTM: dbid=1, version=xxxxxxxxxx (incremental update)

See also: Q12931, Blended Threats Module updates fail

Licensing/Maintenance display (7.2 and above)
Marshal IP Reputation Service provisioning (7.3.5 and above)

[Licensing update by Array Manager service]

The Array Manager checks daily to verify maintenance entitlement for the product, and checks as required for Marshal IP Reputation Service information.

The required URL is https://mailmarshal.licensing.marshal.com

  • You can check activity by searching the MMArrayManager log (located in the \Logging folder of the installation).
  • Search for the string Licensing or RBL Provisioning

Bitdefender for Marshal
Kaspersky for Marshal
McAfee For Marshal
Sophos For Marshal

[Updated by Marshal Bitdefender Updater, Marshal Kaspersky Updater,  Marshal Sophos Updater, or Marshal McAfee Updater services]

These plug-ins update on each processing server. To set a proxy or local update location, use the configuration console for each application. You can check that updates are successful using the configuration console. Update information is also logged to text log files.

  • Note that the required URLs differ depending on the version installed

For details see the following articles:

Troubleshooting notes:

If SpamProfiler or Blended Threats (7.1 and above) is not updating as expected:

  • Verify the internet access settings in TWO locations, even for a single server installation:
    • MailMarshal Properties > Internet Access
    • Server and Array Configuration > Server Properties for the individual server > Internet access (Customize...)
  • The customized node setting overrides the main setting, even if you have only one server.

This access setting is also used for retrieval of Certificate Revocation Lists for TLS functionality (version 7.1 and above)


    To contact Trustwave about this article or to request support:


    Rate this Article:
         

    Related Articles



    Add Your Comments


    Comment submission is disabled for anonymous users.
    Please send feedback to Trustwave Technical Support or the Webmaster
    .

    Details
    Article ID: 12992
    Last Modified: 7/9/2017
    Type: HOWTO
    Rated 3 stars based on 1 vote
    Article has been viewed 33,436 times.
    Options