Puremessage for UNIX erroring with "SOPHOS_SAVI_ERROR_OLD_VIRUS_DATA" - Update shows OUT OF DATE

Over the weekend we had an issue where our gateways (PMX6.3 on RHEL7) started rejected all emails with the "SOPHOS_SAVI_ERROR_OLD_VIRUS_DATA" when executing against the "Check for Viruses" and "Check for suspicious attachments" policy items.  The logging in the PMX_LOG reveals something like this:

 

2017-08-05T00:50:33 [32729,Sophos-SAVI,SAVI.pm:46] sophos: loading DATs from /opt/pmx6/etc/data/sophos/4: data v2017.8.1.5380001, engine v3.68, SAV v5.38, released 2017/04/04: OUT OF DATE

Virus definitions appear to be of the latest version, but out of date.  Insert confused face here......

This issue occurred back in March and ended up being an issue with the Sophos released update.  It was identified (thank you browser history) under https://community.sophos.com/kb/en-us/126168 but has since been removed.

  • Quick update - Latest definition has been applied (2017.8.6.5400002) which shows the following in the logs:

     

    2017-08-07T12:17:09 [28601,Sophos-SAVI,SAVI.pm:46] sophos: loading DATs from /opt/pmx6/etc/data/sophos/2 (was 4): data v2017.8.6.5400002, engine v3.68, SAV v5.40, released 2017/05/30

    So it looks like Sophos have updated the "released" date in the latest definitions, but have only increased it by 8 weeks.  Why??  Essentially, if this series of events repeats itself without Sophos updating the package again, this issue will re-occur on the 30th September.

  • Hello Brian, 

    SOPHOS_SAVI_ERROR_OLD_VIRUS_DATA indicate that your virus Engine is out of date.

    Could you please provide output of the following command:

    • su - pmx6
    • wget -c pmx-dynamic.sophos.com/.../IQ.en
    • ppm set
    • ppm verify --upgrade PureMessage-Sophos-Engine --force
    • ppm verify --upgrade PureMessage-Sophos-Data --force

    Explanation: 

    1. change to pmx user (do not forget the sign - )
    2. try to download IQ.en from repository
    3. Display PMX repository set into the product
    4. Force upgrade for both package, Engine, Data
  • In reply to LEFBE:

    Thanks for the response.  I ended up logging a case through Sophos Support.

    Updating to the newer definition file did correct the error (even through the previous definitions were only a couple of days old), but it appears that your coders/developers are writing another date into the definition file which is what the program is looking at to determine definition validity within 120 days.

     

    For example - The virus definitions that we were running,  dated 1st August 2017 (v2017.8.1.5380001) have a "released date" of 2017/04/04.  The updated definitions we obtained on Monday, dated 6th August 2017 (v2017.8.6.5400002) have a "released date" of 2017/05/30.

     

    What i'm saying is that even though the version date is being incremented, if your programmers forget to update the "released date" this problem is going to reoccur 120 days after the 30th May 2017, specifically around the 30th September 2017.

    The issue is resolved now, but it looks like there is an underlying coding/configuration issue at Sophos that has caused this, which should be investigated and corrected.