NEED HELP - "[19869] virus daemon error found in request" after License Update!

Question

Hello Community, I need help immediately! 
 I updated the license for a Sophos SG450 running UTM 9.508-10. Licence now shows no more errors, but every web call fails with "Virus found - the web application firewall has found the following virus while downloading /: daemon error". We already use single engine scans with Avira. The only thing that helped was to disable av scans in the WAF. 
 The Log shows this: "2019:12:06-14:04:57 xxx.xxx httpd[19869]: [avscan:error] [pid 19869:tid 3734772592] [client xxx.xxx.xxx.xxx:35959] [19869] virus daemon error found in request /[...] 2019:12:06-14:04:57 xxx httpd: id="0299" srcip="xxx.xxx.xxx.xxx" localip="xxx.xxx.xxx.xxx" size="203" user="-" host="xxx.xxx.xxx.xxx" method="GET" statuscode="403" reason="av" extra="virus daemon error found" exceptions="-" time="10300" url="[...]" server="serveradress.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="XepR@QrwBAEAAE2dtDgAAACT"" 
 (masked for privacy reasons) 
 What is causing this? 
 Any help is much appreciated! 
 Markus

Markus Quirmbach · Accepted Answer

Hi All! 
 Sorry for the late reply - we have been quite busy. 
 The UTM mentioned does not belong to us but to one of our customers. I am not involved in the support process with Sophos and I do not have any support contact details, so I do not correspondent with the Sophos support. Therefore I cannot say what Sophos would say about this topic, sorry. 
 I changed the AV Scan Engine to Sophos, but that did not help. The Error now was 
 14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]: [ (nil)] main (cssd.c:407) starting up... 14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]: [ (nil)] read_config (cssd.c:116) reading config 14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]: [ (nil)] main (cssd.c:428) initializing Sophos virus scanner engine 14:42:58 xxx-xxx-xxx [daemon:info] cssd[6043]: [ (nil)] saviscanner_init (saviscanner.c:63) ERROR: Failed to initialise SAVI engine: One of the files in a split-virus data set could not be located [0x8004022d] 14:42:58 xxx-xxx-xxx [daemon:info] cssd[6043]: [ (nil)] main (cssd.c:430) unable to initialize Sophos virus scanner, exiting 14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]: [ (nil)] main (cssd.c:407) starting up... 14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]: [ (nil)] read_config (cssd.c:116) reading config 14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]: [ (nil)] main (cssd.c:428) initializing Sophos virus scanner engine 14:43:13 xxx-xxx-xxx [daemon:info] cssd[6144]: [ (nil)] saviscanner_init (saviscanner.c:63) ERROR: Failed to initialise SAVI engine: One of the files in a split-virus data set could not be located [0x8004022d] 14:43:13 xxx-xxx-xxx [daemon:info] cssd[6144]: [ (nil)] main (cssd.c:430) unable to initialize Sophos virus scanner, exiting 14:43:42 xxx-xxx-xxx [daemon:info] cssd[6406]: [ (nil)] main (cssd.c:407) starting up... 
 and so on in the fallback-log. 
 However, after I changed back to Avira it seems to work! 
 We have this now active - with Avira, without errors - for one of the testing websites and will activate it for production at the next maintenance window (since we are not allowed to have those websites get down in the case it still would not work). 
 Thanks all for your help and replies! 
 Markus