Content & Malware Analysis

 View Only
  • 1.  CAS will not downgrade from v3.0.1.1 to v2.4.1.1

    Posted Jul 20, 2020 06:28 AM
    Device: CAS S400-A3
    Default boot was set to v3.0.1.1. CAS accidentally rebooted with this image. Default set back to v2.4.1.1 and rebooted but it keeps loading v3.0.1.1.

    clp-alerts
    2020-07-20T01:45:01.932444+00:00 IBMSMWSCAP01 alert root[19168]: Health Monitoring (cron): Trimmed event history to 30 days.
    2020-07-20T06:11:01.887955+00:00 IBMSMWSCAP01 alert root[5636]: Upgrade/downgrade from 2.4.1.1:234756 to 3.0.1.1:249223 success.
    Jul 20 06:41:34 CAS handle_mdadm_event: NewArray /dev/md127
    Jul 20 06:42:23 CAS logger: Upgrade/downgrade scripts from 3.0.1.1:249223 to 2.4.1.1:234756 completed successfully.
    2020-07-20T06:50:53.009039+00:00 CAS alert root[4726]: Upgrade/downgrade from 2.4.1.1:234756 to 3.0.1.1:249223 success.
    2020-07-20T06:51:39.021543+00:00 IBMSMWSCAP01 alert root[7789]: Upgrade/downgrade from 2.4.1.1:234756 to 3.0.1.1:249223 success.


    Any ideas appreciated!! Thanks!!!

    ------------------------------
    Sr. Network Security Engineer
    IBM - Manged Security Services
    ------------------------------


  • 2.  RE: CAS will not downgrade from v3.0.1.1 to v2.4.1.1

    Broadcom Employee
    Posted Jul 20, 2020 10:54 AM
    Hi Keith,

    The following is from page 4 of the CAS 3.0 Release Notes:

    "Because of infrastructure changes introduced in Content Analysis 3.x, downgrades to 2.x and 1.x are not supported; a factory
    reset would be required after downgrading."

    To get back, you'll need to factory default the device.

    Thanks!


  • 3.  RE: CAS will not downgrade from v3.0.1.1 to v2.4.1.1

    Broadcom Employee
    Posted Jul 20, 2020 10:55 AM
    Release Notes attached here:


  • 4.  RE: CAS will not downgrade from v3.0.1.1 to v2.4.1.1

    Posted Jul 21, 2020 01:35 AM
    Thank you Jacob!! One more question, we had an issue with Sophos not downloading on same device:
    Sophos, PLC. engine Downloaded Not modified (304)

    Does that simply mean that the AV patterns were up to date?
    Both McAfee and Sophos are now updated all ok but was wondering about the 304 status.
    Thanks,
    Keith L.

    ------------------------------
    Network Security Engineer
    IBM - MSS
    ------------------------------



  • 5.  RE: CAS will not downgrade from v3.0.1.1 to v2.4.1.1

    Broadcom Employee
    Posted Jul 21, 2020 10:32 AM
    Hi Keith,

    Yes, the 304 is simply an HTTP 304 - Not Modified status code. It means that in relation to the download servers, the AV patterns are up to date.

    Thanks!


  • 6.  RE: CAS will not downgrade from v3.0.1.1 to v2.4.1.1

    Posted Jul 22, 2020 12:59 AM
    Thank you Jacob!!!!!!
    Appreciate your responses so much.
    Keith Lunn
    IBM MSS SOC

    ------------------------------
    Network Security Engineer
    IBM - MSS
    ------------------------------