Sophos Anti-Virus Database Expired on Cisco IronPort ESA

Update: Looks like the problem has been resolved on May 16th at around 11:00pm EST.

So I got a new alert from our Cisco IronPort Email Security Appliances (ESAs) after midnight last night stating that the Anti-Virus database has expired. Here’s what the alert says:

The Warning message is:

sophos antivirus – The Anti-Virus database on this system is expired.  Although the system will continue to scan for existing viruses, new virus updates will no longer be available.  Please run avupdate to update to the latest engine immediately.  Contact Cisco IronPort Customer Support if you have any questions.

Current Sophos Anti-Virus Information:

SAV Engine Version      4.97

IDE Serial              2014051602

Last Engine Update      Thu May 15 15:23:44 2014

Last IDE Update         Fri May 16 05:10:47 2014

Last message occurred 261 times between Fri May 16 07:10:43 2014 and Fri May 16 07:30:56 2014.

Now, I know that the feature key for Sophos Anti-Virus is valid for another couple of years (you can actually check that by logging in to your ESA’s GUI -> System Administration -> Feature Keys and verifying Feature Keys for your appliance), so the alert was completely misleading. After contacting Cisco TAC about the issue, we had a confirmation that the problem is on their end and that it will be resolved automatically once the Sophos engine is updated to verison 4.97 (via regular download to the appliance). No customer action is required. Cisco has actually released an advisory on their Support Community page about this issue, which you can read here:

Things happen. We’ll be patient.

Confirmed Vulnerabilities in Cisco WRF and ARF Players

Cisco has issued a new Security Advisory confirming vulnerabilities in its WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players. WebEx Business Suite (cloud) clients should upgrade their WebEx software client to the latest version. The following client builds of Cisco WebEx Business Suite (WBS27, WBS28, WBS29) and Cisco WebEx 11 correct these vulnerabilities:

  • Cisco WebEx Business Suite (WBS29) client builds T29.2 or later
  • Cisco WebEx Business Suite (WBS28) client builds T28.12 or later
  • Cisco WebEx Business Suite (WBS27) client builds T27TLSP32EP16 (27.32.16) or later
  • Cisco WebEx 11 version 1.2.10 with client builds T28.12 or later
  • Cisco WebEx Meetings Server client builds or later

Client builds of the Cisco WebEx Business Suite prior to T27 SP32 have reached end of support; to obtain fixed software please upgrade to the latest version.

Cisco WebEx Meetings Servers (on-prem) clients should upgrade to version 2.0 or later (the most current version is 2.0 MR3).

To read the full Security Advisory go to

A Few Words About Directory Integration in CWMS

If your organization uses Cisco WebEx Meetings Server with AD directory and AD authentication and you have configured the Directory Integration according to the CWMS Administration Guide, you may be due for a surprise within a few months of initial configuration with a number of users being turned inactive. “But why?!” you ask. Remember that setting about password aging that supposedly does not apply to AD authenticated users? I’m talking about this one:


Well, turns out that if initially synchronized users did not login to CWMS within the default 180 days, their accounts get deactivated. Naturally, one would want to re-activate the accounts and, if you are dealing with a large number of users, you would almost always choose to activate in bulk using CSV file. A word of caution here: activating a large number of users with CSV import also triggers AD Activation Email to be sent out to all enabled users (even if the option to automatically notify users is unchecked under Users -> Directory Integration:


You may want to modify the AD Activation Email template (found under Settings -> Email -> Templates) or, if you prefer WebEx Meetings Server not to reach out to end users, configure a Hub Transport rule on your Exchange server to automatically discard or redirect messages with “Action Required: Activate account” in the Subject line. Which is precisely what I have done:

[PS] C:>New-TransportRule -Name "Disable CWMS AD Activation Email" -SubjectOrBodyContainsWords "Action
Required: Activate account" -FromAddressContainsWords "" -Comments "This rule disables AD Activation
 email from Cisco WebEx Meetings Server" -Enabled $true 

Name                                               State    Priority Comments
----                                               -----    -------- --------
Disable CWMS AD Activation Email                   Enabled  10       This rule disables AD Activation email from Cis...

I am not sure if disabling the password aging policy would prevent the active accounts from going inactive after 180 days (or some other value if different from default), but I recommend disabling the supposedly inapplicable password aging policy anyway.

Heartbleed and Vulnerabilities Discovered in Cisco UC Line

You can’t look anywhere these days without seeing news about Heartbleed – the new vulnerability discovered with OpenSSL 1.01/1.02. Vendors frantically started releasing security patches to fix affected applications, and Cisco was no exception. From the list of affected products, the following fall under UC domain:

Yup, pretty much 90% of affected products were Voice, Video and Conferencing related (click here to see the full list).

Our own vulnerability scanner discovered that Cisco Jabber Guest (EAP 7) is also vulnerable, so if you, like myself, are a member of the privileged Collaboration User Group and participate in Cisco Jabber Guest Beta trial, make sure that you minimize your risk exposure by controlling access to Jabber Guest server until the update/patch becomes available.

Stay tuned and keep safe!