Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 2997 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NEED HELP - "[19869] virus daemon error found in request" after License Update!

Markus Quirmbach

Hello Community, I need help immediately!

I updated the license for a Sophos SG450 running UTM 9.508-10. Licence now shows no more errors, but every web call fails with "Virus found - the web application firewall has found the following virus while downloading /: daemon error". We already use single engine scans with Avira. The only thing that helped was to disable av scans in the WAF.

The Log shows this: "2019:12:06-14:04:57 xxx.xxx httpd[19869]: [avscan:error] [pid 19869:tid 3734772592] [client xxx.xxx.xxx.xxx:35959] [19869] virus daemon error found in request /[...]
2019:12:06-14:04:57 xxx httpd: id="0299" srcip="xxx.xxx.xxx.xxx" localip="xxx.xxx.xxx.xxx" size="203" user="-" host="xxx.xxx.xxx.xxx" method="GET" statuscode="403" reason="av" extra="virus daemon error found" exceptions="-" time="10300" url="[...]" server="serveradress.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="XepR@QrwBAEAAE2dtDgAAACT""

(masked for privacy reasons)

What is causing this?

Any help is much appreciated!

  Markus



This thread was automatically locked due to age.
Parents
  • 0

    Hi!

    Two more things I found out.

    First: the new license got sandstorm whereas the old didn't.

    Second: following can be seen in the fallback.log:

    2019:12:06-14:04:56 xxx.xxx [daemon:info] irqd[7350]:  rebalance started (every 5 sec)
2019:12:06-14:04:56 xxx.xxx [daemon:notice] sandbox_reportd.plx[7316]:  [SANDBOX-REPORTD] Starting up
2019:12:06-14:04:56 xxx.xxx [daemon:notice] sandbox_reportd.plx[7316]:  [SANDBOX-REPORTD] Reloaded configuration
2019:12:06-14:04:56 xxx.xxx [daemon:info] cssd[7290]:  [     (nil)] avira_init (avira.c:79) failed to load Avira engine: aviraglue_init() failed to initialize SAVAPI: VDF file crc failed
2019:12:06-14:04:56 xxx.xxx [daemon:info] cssd[7290]:  [     (nil)] main (cssd.c:434) virus scanner initialization finished
2019:12:06-14:04:58 xxx.xxx [daemon:notice] sandbox_reportd.plx[7465]:  [SANDBOX-REPORTD] Starting up
2019:12:06-14:04:58 xxx.xxx [daemon:notice] sandbox_reportd.plx[7465]:  [SANDBOX-REPORTD] Reloaded configuration

    Can the sandstorm feature break Avira? And how can I restart the Avira engine (I think this might solve the issue)?

    Man thanks in advance!

      Markus

     
  • 0 in reply to Markus Quirmbach

    Hallo Markus,

    Not sure how to restart Avira, but you might check for an update for it.  As root at the command line:

    audld.plx  --mode=avira3

    This might have to do with cssd instead of Avira.  Is either eating up resources in top?

    Please come back and tell us what Sophos Support had to say about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    Hi All!

    Sorry for the late reply - we have been quite busy.

    The UTM mentioned does not belong to us but to one of our customers. I am not involved in the support process with Sophos and I do not have any support contact details, so I do not correspondent with the Sophos support. Therefore I cannot say what Sophos would say about this topic, sorry.

    I changed the AV Scan Engine to Sophos, but that did not help. The Error now was

    14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] main (cssd.c:407) starting up...
    14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] read_config (cssd.c:116) reading config
    14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] main (cssd.c:428) initializing Sophos virus scanner engine
    14:42:58 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] saviscanner_init (saviscanner.c:63) ERROR: Failed to initialise SAVI engine: One of the files in a split-virus data set could not be located [0x8004022d]
    14:42:58 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] main (cssd.c:430) unable to initialize Sophos virus scanner, exiting
    14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] main (cssd.c:407) starting up...
    14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] read_config (cssd.c:116) reading config
    14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] main (cssd.c:428) initializing Sophos virus scanner engine
    14:43:13 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] saviscanner_init (saviscanner.c:63) ERROR: Failed to initialise SAVI engine: One of the files in a split-virus data set could not be located [0x8004022d]
    14:43:13 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] main (cssd.c:430) unable to initialize Sophos virus scanner, exiting
    14:43:42 xxx-xxx-xxx [daemon:info] cssd[6406]:  [     (nil)] main (cssd.c:407) starting up...

    and so on in the fallback-log.

    However, after I changed back to Avira it seems to work!

    We have this now active - with Avira, without errors -  for one of the testing websites and will activate it for production at the next maintenance window (since we are not allowed to have those websites get down in the case it still would not work).

    Thanks all for your help and replies!

      Markus

  • 0 in reply to Markus Quirmbach

    Sehr interessant, Markus.  Since switching from/to Avira seemed to fix your issue, I wonder if rebuilding the PostgreSQL databases would have resolved this.  Could you ask your support person that dealt with this issue to ask Sophos Support that question?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    I'm really sorry for the late reply.

    On the topic: I'm afraid Nobody contacted the Sophos support, since

    1. the aforementioned action solved the issue and
    2. the UTM was replaced soon afterwards anyway

    The latter was planed a couple of weeks ago, to replace the single SG450 with a SG310 cluster. So no one looked into this after that. But the days between the issue and the replacement of the new UTM it was very important to get the problem resolved, and we are glad the switching of the AV engines helped.

    Thanks everyone!

    Markus

Reply
  • 0 in reply to BAlfson

    Hello Bob,

    I'm really sorry for the late reply.

    On the topic: I'm afraid Nobody contacted the Sophos support, since

    1. the aforementioned action solved the issue and
    2. the UTM was replaced soon afterwards anyway

    The latter was planed a couple of weeks ago, to replace the single SG450 with a SG310 cluster. So no one looked into this after that. But the days between the issue and the replacement of the new UTM it was very important to get the problem resolved, and we are glad the switching of the AV engines helped.

    Thanks everyone!

    Markus

Children
No Data
Unfiltered HTML