Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

HOWTO: How do I check that MailMarshal (SEG) is updating correctly?

Expand / Collapse


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

  • How do I check that web updates are working?
  • Is SpamCensor up to date?
  • Is SpamProfiler up to date?
  • Is the Blended Threats Module (BTM) up to date?
  • Are virus signatures up to date?
  • Is my IP Reputation Service license up to date?
  • What websites must be allowed through a firewall for updates to work?

Information:

To check that the MailMarshal (SEG) product automatic updates are working, see the relevant sections below.
Note that the URLs may map to dynamic IP addresses. It is not possible to give a definitive list of IP addresses.

  • For troubleshooting notes see the end of this article

All update functions and TLS - Certificate issues

If service logs show errors related to SSL certificates, your server may be lacking a required SSL Root Certificate (CA Certificate) needed to verify the server certificate. Also, using a proxy server with HTTPS content inspection could cause issues.
  • Sample error:
    SSL certificate problem, verify that the CA cert is OK.
    Details: error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  • For a resolution, see Trustwave Knowledge Base article Q13703.
  • Note also that you must allow HTTP access to Certificate Revocation List servers so that SSL certificates can be validated. For TLS, this requires access via HTTP (port 80) from processing nodes to all certificate authority sites.

Spam Censor

[Updated by the MailMarshal Array Manager service]

The Spam Censor Updates run under the Array Manager Service on the Array Manager server, and they require HTTP and HTTPS access.  To set a proxy and proxy logon information if required, you can use the Configurator (MailMarshal Properties > Internet Access).

Required URLs are:

  • HTTP:://www.marshal.com
  • HTTPS://www.marshal.com
  • HTTPS://cdn-updates.marshal.com
    • This URL is hosted on Microsoft Azure CDN. IP addresses may change. IP addresses can be retrieved using the "Front Door" tag in Microsoft Azure IP Ranges and Service Tags.

If updates are not succeeding, particularly with a proxy, you may need to run the Array Manager service using a Windows account with administrative privilege and proxy permissions.  

To check that updates are successful, see the Configurator (MailMarshal Properties > Automatic Updates).   You can check that the SpamCensor updates are current by clicking Check for Updates Now.

See also:

  • Q11718, Why do SpamCensor updates fail?
  • Q11998, 403 Access Forbidden: Product Key or Maintenance is not current.
  • Q14242, 410 Updates are no longer provided for this product version.
    • Updates are no longer provided for most releases below 8.0.

SpamProfiler

This information applies to all supported MailMarshal versions.

[Updated by MailMarshal SpamProfiler Process]

The Array Manager checks daily to verify licensing of this service. The required URL is https://mailmarshal.licensing.marshal.com/

  • You can check licensing activity by searching the MMArrayManager log (located in the \Logging folder of the installation).

SpamProfiler updates are retrieved by services running on the MailMarshal processing servers (in an array, each server updates separately). To set a proxy and proxy logon information if required, you can use the Configurator (MailMarshal Properties > Internet Access) to set "default access for nodes". You can also set different proxy details for each node.

Required URLs are: 

  • HTTP://sigupdates.marshal.com
  • HTTPS://sigupdates.marshal.com
  • HTTP://pki.cloudmark.com/
  • HTTPS://pki.cloudmark.com/
  • HTTP://lvc.cloudmark.com/
  • HTTPS://lvc.cloudmark.com/
  • HTTP://tracks.cloudmark.com/
  • HTTPS://tracks.cloudmark.com/
  • HTTPS access to the following network range: 208.83.136.0/22

NOTE: As of February 2024, HTTPS is the default protocol. If you use a proxy server that inspects HTTPS content (such as WebMarshal), you should bypass the proxy for all the above URLs. SpamProfiler licensing and updates will fail if proxy SSL certificates are used.

You can check that SpamProfiler is updating by viewing the MMReceiver or MMSpamProfiler log (located in the \logging folder of the installation).

You should see an entry like the following when you first enable spam profiler:

[MICROUPDATE] Successful auto configuration download from network (new serial xx.xx).

and subsequent updates like:

[MICROUPDATE] Successful signatures incremental download from network (new serial xxxxxxx.xxxxxxx)

URL Categorizer Service 

[Check performed by the MailMarshal Engine service]

The URL Categorizer check requests are performed in real time by the Engine service on each SEG processing server. To set a proxy and proxy logon information if required, you can use the Configurator (Trustwave SEG Properties > Internet Access) to set "default access for nodes". You can also set different proxy details for each node.

The default required URLs are: 

  • HTTP://tw-seg-urlcategorizer.cloudapp.net (Located in Americas region)
    • also known as urlcategorizer.seg.trustwave.com
  • HTTP://tw-seg-urlcategorizer-au.cloudapp.net/ (Located in APAC region)

Note that the SEG installation will select an instance based on geography and latency. All installations should have access to both instances.

You can choose to use HTTPS for these requests. See article Q20362.

Blended Threat Service 

[Licensing update by Array Manager service]

The Array Manager checks daily to verify licensing of this service.

The required URL is https://mailmarshal.licensing.marshal.com

  • Note: ALL installations of MailMarshal/SEG 7.1 and above perform this check. It is not limited to installations licensed for the Blended Threats service. Installations without the service still must check in order to determine whether a license has been added.
  • You can check licensing activity by searching the MMArrayManager log (located in the \logging folder of the installation).
  • In version 7.1, search for the string BTM Provisioning
  • In version 7.2 and above, search for the string Licensing

Testing and validation of URLs is performed in real time when the user clicks the URL.

  • URLs are checked through web request to the site scanmail.trustwave.com (from the user's browser)
  • Click statistics are retrieved through web request to the site stats.scanmail.trustwave.com (from the Array Manager)

Licensing/Maintenance display 
Marshal IP Reputation Service provisioning 

[Licensing update by Array Manager service]

The Array Manager checks daily to verify maintenance entitlement for the product, and checks as required for Marshal IP Reputation Service information.

The required URL is https://mailmarshal.licensing.marshal.com

  • You can check activity by searching the MMArrayManager log (located in the \Logging folder of the installation).
  • Search for the string Licensing or RBL Provisioning

Bitdefender for Marshal
McAfee For Marshal
Sophos For Marshal

[Updated by Marshal Bitdefender Updater, Marshal Sophos Updater, or Marshal McAfee Updater services]

These plug-ins update on each processing server. To set a proxy or local update location, use the configuration console for each application. You can check that updates are successful using the configuration console. Update information is also logged to text log files.

  • Note that the required URLs differ depending on the version installed

For details see the following articles:

Troubleshooting notes:

If SpamProfiler or Blended Threats (7.1 and above) is not updating as expected:

  • Verify the internet access settings in TWO locations, even for a single server installation:
    • MailMarshal Properties > Internet Access
    • Server and Array Configuration > Server Properties for the individual server > Internet access (Customize...)
  • The customized node setting overrides the main setting, even if you have only one server.

This access setting is also used for retrieval of Certificate Revocation Lists for TLS functionality (version 7.1 and above)


    To contact Trustwave about this article or to request support:


    Rate this Article:
         

    Related Articles



    Add Your Comments


    Comment submission is disabled for anonymous users.
    Please send feedback to Trustwave Technical Support or the Webmaster
    .