This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SAV-LINUX] Scan error '1/0x4021a' detected on server

I have a Centos 7 system running Samba 4 and Sophos Anti virus for Linux.

When a large file is downloaded directly on the samba folder from a Windows client, Sophos generates tens (or hundreds, if I download a very large file) of equal messages similar to the one bellow:

An error classified as '1/0x4021a' was detected in the file 
'/folder/file.zip-{ae54f372-8e1c-4c6e-ae48-a8481046e0b7}.dtapart'
when closing it at Wed May 3 16:06:36 2017 -03 -0500 (2017-05-03 19:06:36 UTC).
Access to the file was allowed.

Of course the file was not corrupt and all that happened was that the file was still being downloaded when Sophos AV started to scan it and noticed that the file changed while doing so. Sophos sends so many e-mails reporting this non-sense false positive that I am going to uninstall it if I do not find a solution.
I only found the possibility to send all mails or none at all, and this is not acceptable because I must be informed of real viruses in the system.


Is there a way to set Sophos to not send those false positive mails?
Is there a way to report this to Sophos for them to fix the issue?



This thread was automatically locked due to age.
Parents
  • Hello Hilario Silveira,

    please see section 11.3.8 in the Configuration Guide on how to turn off these emails.

    in a reply just stated the meaning of this error but didn't otherwise comment on it. AFAIK scans aren't triggered on open files, so "something" seems to close and reopen them. It's not at all a false positive, BTW, a scanning error is quite a different type of alert. It's clearly a nuisance here but OTOH it doesn't seem to be a common issue. Guess Windows clients saving to SAMBA 4 shares isn't an exotic setup and there are likely some servers with Sophos (and On-Access enabled). Either they've all followed 11.3.8.

    Christian

Reply
  • Hello Hilario Silveira,

    please see section 11.3.8 in the Configuration Guide on how to turn off these emails.

    in a reply just stated the meaning of this error but didn't otherwise comment on it. AFAIK scans aren't triggered on open files, so "something" seems to close and reopen them. It's not at all a false positive, BTW, a scanning error is quite a different type of alert. It's clearly a nuisance here but OTOH it doesn't seem to be a common issue. Guess Windows clients saving to SAMBA 4 shares isn't an exotic setup and there are likely some servers with Sophos (and On-Access enabled). Either they've all followed 11.3.8.

    Christian

Children
  • I had already read the mentioned post. I decided for a new thread because it is more than 2 years old by now. Also there is no answer for the reason of the generated error message.

    I also read again the mentioned Sophos manual, but as far as I could understand it only has a setting to send mails or not send mails.

    That configuration is extremely basic and it does not cover the mentioned case of false positives (or reports before the end of the file download).

    I need to receive mails regarding virus. But I do not want to receive tons of mails when a large file is being downloaded.

    Please enlighten me if I missed the correct configuration.

  • Is there a way to report this a bug (or feature request, if one doesn't accept this as bug) ?

  • Hello Hilario Silveira,

    mails regarding virus vs. tons of mails
    maybe I should have emphasized the difference between detection and error. The latter tells you that a scan was not completed or even couldn't be started. Please note 11.3.7-11.3.9 let you configure SendThreatEmail (detection), SendErrorEmail (scanning error), and  EmailDemandSummaryIfThreat individually. Enabling the first and disabling the second should give the result you want.

    and BTW

    Have a cool product idea or improvement?

    We'd love to hear about it! Click here to go to the product suggestion community

    Christian

  • It looks like that this will solve the problem.

    Thanks for the help.