This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus name on detection

I miss the virus name when a virus is detected, I currectly get in /etc/messages : "Possible Virus Detected - File ONTAP_ADMIN$\vol\** in share ** accessed by client 192.168.3.69 () running as user *.*** may be infected. The filer received status message Code 3, file is infected.  and error code [0x3] from vscan (anti-virus) server 192.168.103.43."
I searched in the event viewer and in the files on the console server without success, is the information somewhere ?
Thank you.
Patrick



This thread was automatically locked due to age.
Parents Reply Children
  • Hi,

    Sophos Anti-Virus for NetApp is version 3.0.0 running on Windows Server 2012. I'm not sure to understand what you mean by scanning server, we have a single server on which I installed all Sophos components ("Sophos Endpoint Security and Control" version 10.6 and the MMC console "Sophos Anti-Virus for NetApp" version 3.0.0).

    The Netapp filers are running OnTap 8.2.3 (7Mode) and uses fpolicy to connect to the scanning server.

    Thank you

    Patrick

  • Hi Patrick,

    Are you running a standalone version of Sophos Endpoint Secrity and Control, or is it managed by a Sophos Enterprise Console?

    If it is standalone have you configured the OnAccess settings for Sophos Endpoint Security and Control? What are the cleanup options?

    You should see events on the scanning server that is running Sophos, are you not?

    Anyway, SAV.txt in the programdata\Sophos\Sophos Anti-Virus\logs is the best place to locate the data

    Regards,

    Stephen

  • Hi Stephen,

    Thank you for looking at that.

    I guess I use a standalone version as I have no Enterprise Console around.

    The cleanup settings are : Clean automatically

    If cleanup fails, deny and move in :C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

    Suspect files, deny and move in : C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

    I do not see the events on the scanning server, as I have the feeling that "Sophos Endpoint Security and Control" is only used to run autoupdates...

    In SAV.txt I have events like (I translate because the log is in french, I guess the install used the regional settings) :

    20160923 084725 Running version 5.31 of data detection (detection engine 3.64.3). This version detects 11947014 elements.

    or

    20160923 084229 Control of  "\\192.168.z.y\ONTAP_ADMIN$\vol\DATA\DATA\Something\Somethingelse.docx" returned a SAV error Interface 0xa0040212: File is crypted.

    Which is better as it shows a relation with the filer.

    But no entry about the detection, these entries are visible only on the filer in /etc/messages :

    Fri Sep 23 14:18:27 CEST [filer:vscan.virus.detected:error]: CIFS: Possible Virus Detected - File ONTAP_ADMIN$\vol\Users\Thatguy\AppData\Roaming\Mozilla\Firefox\Profiles\uxe05pl8.default\sessionCheckpoints.json.tmp in share Shared$ accessed by client 192.168.x.y () running as user t.guy may be infected. The filer received status message Code 2, file is infected.  and error code [0x2] from vscan (anti-virus) server 192.168.z.y.

    Thank you for your help

    Patrick

  • Hi Patrick,

    It will be worth doing some testing to make sure things are working correctly; are you familiar with the EiCAR test string? http://www.eicar.org/86-0-Intended-use.html
    Copy the text string towards the bottom of the page and save it into a text file on the Sophos scanning server 192.168.z.y; depending on your settings you may need to make the file executable by chaning the extension to .com or .exe

    Sophos should detect the file and make enteries in SAV.txt and the event viewer etc

    Try the test again using ONTAP and see if that works in the same way

    Stephen

  • Done and weird results :

    When I copy the file on the scanning server I get in SAV.txt :

    20160926 122635 File "C:\Tempo\EicarTest.txt" belongs to virus/spyware 'EICAR-AV-Test'.
    20160926 122636 The file "C:\Tempo\EicarTest.txt" was cleaned.
    20160926 122637 The virus/spyware 'EICAR-AV-Test' was deleted.

    When I copy on the filer I get in SAV.txt

    20160926 123249 Virus/spyware 'EICAR-AV-Test' detected in '\\192.168.103.244\ONTAP_ADMIN$\vol\Echange\eicar - Copie.txt'. Cleaning impossible.
    20160926 123249 Infected file "\\192.168.103.244\ONTAP_ADMIN$\vol\\eicar - Copie.txt" moved in "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\eicar - Copie.txt.000".

    And the entries in /etc/messages on the filer :

    Mon Sep 26 14:32:49 CEST [stor04a:vscan.virus.detected:error]: CIFS: Possible Virus Detected - File ONTAP_ADMIN$\vol\Echange\eicar - Copie.txt in share Echange accessed by client 192.168.3.41 () running as user s.user may be infected. The filer received status message Code 5, file is infected.  and error code [0x5] from vscan (anti-virus) server 192.168.103.43.

    I even tried with a real virus with the same results, therefore things seems to work normally.

    BUT I still have messages in /etc/messages like

    Mon Sep 26 11:18:45 CEST [stor04b:vscan.virus.detected:error]: CIFS: Possible Virus Detected - File ONTAP_ADMIN$\vol\s.user\AppData\Roaming\Mozilla\Firefox\Profiles\t0310khb.default\sessionCheckpoints.json.tmp in share blabla$ accessed by client 192.168.3.43 () running as user s.user may be infected. The filer received status message Code 2, file is infected.  and error code [0x2] from vscan (anti-virus) server 192.168.103.43.

    with nothing coming up in SAV.txt

    The only difference I see is the code returned by the scanning server 0x5 with Eicar and real virus and 0x2 with the failing ones. I realized that I missed informations in my logs precisley because I was looking what was wrong with the detections in Firefox profiles files.

    Thank you

    Patrick

  • Hello Patrick,

    The return code 2 means that the file wasnt found; you can see them here: https://kb.netapp.com/support/s/article/how-to-determine-the-meaning-of-mcafee-vscan-errors

    All vendors use the same status used by the OnTap interface

    Stephen

  • Thanks a lot,

    I can confirm that the messages are linked to temporary files which makes sense with "file not found" (at least for my recent logged events). Sad I did not find the document you linked myself...

    I'll configure my alerting system to ignore code 2 events.

     

    Again, thank you for your help.

     

    Patrick