cancel
Showing results for 
Search instead for 
Did you mean: 

MRA threat feeds have stopped working at all MRA customers

Jump to solution

So since last friday (october 25th) all threat feed downloads in MRA fail for ALL customers environments. I received a notification yesterday form McAfee that the IP address for MRA has changed. I believe this has someting todo with it.

Things I checked:

  • nslookup on dnsname resolves to correct ip address.
  • restarted epo services, no luck.
  • some customers use a proxy, some not.

Orion gives these errors during threat feed downloads:

Orion.log

2013-10-29 10:09:44,182 ERROR [mfs:pool-1-thread-9] connector.MTISServiceHandler  - Unable to download threat data.

com.mcafee.carma.mtis.connector.ConnectorException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

     at com.mcafee.carma.mtis.connector.MTISThreatFeed.query(Unknown Source)

     at com.mcafee.carma.mtis.connector.MTISThreatFeed.getThreats(Unknown Source)

     at com.mcafee.carma.mtis.connector.MTISServiceHandler.start(Unknown Source)

     at com.mcafee.carma.mtis.connector.MTISServiceHandler.service(Unknown Source)

     at com.mcafee.carma.mtis.connector.ConnectorCommandBase.invoke(Unknown Source)

     at com.mcafee.carma.mtis.connector.MTISThreatFeedCommand.invoke(Unknown Source)

     at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:989)

     at com.mcafee.orion.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:762)

     at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:751)

     at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:723)

     at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:289)

     at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:314)

     at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:230)

     at com.mcafee.orion.scheduler.chainable.Chain.invoke(Chain.java:42)

     at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:989)

     at com.mcafee.orion.core.cmd.CommandInvoker$AsyncCommandRunner.call(CommandInvoker.java:900)

     at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)

     at java.util.concurrent.FutureTask.run(FutureTask.java:138)

     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)

     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)

     at java.lang.Thread.run(Thread.java:662)

Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

     at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)

     at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:650)

     at org.apache.axis.Message.getSOAPEnvelope(Message.java:424)

     at org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(MustUnderstandChecker.java:62)

     at org.apache.axis.client.AxisClient.invoke(AxisClient.java:173)

     at org.apache.axis.client.Call.invokeEngine(Call.java:2719)

     at org.apache.axis.client.Call.invoke(Call.java:2702)

     at org.apache.axis.client.Call.invoke(Call.java:2378)

     at org.apache.axis.client.Call.invoke(Call.java:2301)

     at org.apache.axis.client.Call.invoke(Call.java:1758)

     at com.mcafee.carma.mtis.connector.wsclient.ServiceSoapStub.query(Unknown Source)

     ... 21 more

Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

     at com.rsa.sslj.x.au.d(Unknown Source)

     at com.rsa.sslj.x.ac.a(Unknown Source)

     at com.rsa.sslj.x.ac.b(Unknown Source)

     at com.rsa.sslj.x.ac.b(Unknown Source)

     at com.rsa.sslj.x.ak.read(Unknown Source)

     at java.io.BufferedInputStream.read1(BufferedInputStream.java:256)

     at java.io.BufferedInputStream.read(BufferedInputStream.java:317)

     at java.io.FilterInputStream.read(FilterInputStream.java:116)

     at com.sun.org.apache.xerces.internal.impl.XMLEntityManager$RewindableInputStream.read(XMLEntityManager.java:2947)

     at com.sun.org.apache.xerces.internal.impl.io.UTF8Reader.read(UTF8Reader.java:299)

     at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.load(XMLEntityScanner.java:1742)

     at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.skipSpaces(XMLEntityScanner.java:1492)

     at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$TrailingMiscDriver.next(XMLDocumentScannerImpl.java:1397)

     at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:647)

     at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)

     at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)

     at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)

     at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)

     at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)

     at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)

     at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)

     at javax.xml.parsers.SAXParser.parse(SAXParser.java:395)

     at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:226)

     at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:645)

     ... 30 more

I can go to the URL configured in MRA using the server internet Explorer with no certifcate errors and I can manually download the zip from the server via IE so there are no firewall or proxy issues.

When I try to connect to the url in MRA I get the following error:

Failed to connect to Threat Feed Server

environments are MRA 2.7.2 and 2.7.1 (incl hotfixes).

Anyone else with the same problems?

Message was edited by: robert_dearbytes on 10/29/13 7:14:13 AM CDT
1 Solution

Accepted Solutions
Highlighted

Re: MRA threat feeds have stopped working at all MRA customers

Jump to solution

I escalated the issue with McAfee Platinum support and they found out that there was an issue with the server on their side. They send out a SNS notice last wednesday that the feed serivce was restored.

So the issue is now fixed for all customers of MRA.

2 Replies

Re: MRA threat feeds have stopped working at all MRA customers

Jump to solution

Robert,

I am not sure if this will help or not.

=============

New IP Address for Risk Advisor Threat Feed Download Server

October 28, 2013

The Threat Feed download server for McAfee Risk Advisor has been changed to the following IP address: 


  • 161.69.65.70

Please note this will require the following changes:


  • Firewall rules and cached DNS entries may need to be updated to reflect the IP change.
  • You must access the Threat Feed by host name rather than by IP address. If an IP address is required, add an appropriate entry      in the Windows hosts file. For example:

    161.69.65.70 threatfeed.mtis.mcafee.com.


Message was edited by: jgodfrey_kumc on 10/31/13 3:11:47 PM CDT

Message was edited by: jgodfrey_kumc on 10/31/13 3:11:55 PM CDT
Highlighted

Re: MRA threat feeds have stopped working at all MRA customers

Jump to solution

I escalated the issue with McAfee Platinum support and they found out that there was an issue with the server on their side. They send out a SNS notice last wednesday that the feed serivce was restored.

So the issue is now fixed for all customers of MRA.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator