NEED HELP - "[19869] virus daemon error found in request" after License Update!

Hello Community, I need help immediately!

I updated the license for a Sophos SG450 running UTM 9.508-10. Licence now shows no more errors, but every web call fails with "Virus found - the web application firewall has found the following virus while downloading /: daemon error". We already use single engine scans with Avira. The only thing that helped was to disable av scans in the WAF.

The Log shows this: "2019:12:06-14:04:57 xxx.xxx httpd[19869]: [avscan:error] [pid 19869:tid 3734772592] [client xxx.xxx.xxx.xxx:35959] [19869] virus daemon error found in request /[...]
2019:12:06-14:04:57 xxx httpd: id="0299" srcip="xxx.xxx.xxx.xxx" localip="xxx.xxx.xxx.xxx" size="203" user="-" host="xxx.xxx.xxx.xxx" method="GET" statuscode="403" reason="av" extra="virus daemon error found" exceptions="-" time="10300" url="[...]" server="serveradress.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="XepR@QrwBAEAAE2dtDgAAACT""

(masked for privacy reasons)

What is causing this?

Any help is much appreciated!

  Markus

  • Hi!

    Two more things I found out.

    First: the new license got sandstorm whereas the old didn't.

    Second: following can be seen in the fallback.log:

    2019:12:06-14:04:56 xxx.xxx [daemon:info] irqd[7350]:  rebalance started (every 5 sec)
    2019:12:06-14:04:56 xxx.xxx [daemon:notice] sandbox_reportd.plx[7316]:  [SANDBOX-REPORTD] Starting up
    2019:12:06-14:04:56 xxx.xxx [daemon:notice] sandbox_reportd.plx[7316]:  [SANDBOX-REPORTD] Reloaded configuration
    2019:12:06-14:04:56 xxx.xxx [daemon:info] cssd[7290]:  [     (nil)] avira_init (avira.c:79) failed to load Avira engine: aviraglue_init() failed to initialize SAVAPI: VDF file crc failed
    2019:12:06-14:04:56 xxx.xxx [daemon:info] cssd[7290]:  [     (nil)] main (cssd.c:434) virus scanner initialization finished
    2019:12:06-14:04:58 xxx.xxx [daemon:notice] sandbox_reportd.plx[7465]:  [SANDBOX-REPORTD] Starting up
    2019:12:06-14:04:58 xxx.xxx [daemon:notice] sandbox_reportd.plx[7465]:  [SANDBOX-REPORTD] Reloaded configuration

    Can the sandstorm feature break Avira? And how can I restart the Avira engine (I think this might solve the issue)?

    Man thanks in advance!

      Markus

     
  • In reply to Markus Quirmbach:

    don't know how to restart avira ... but try to use single-scan with sophos ...

  • In reply to Markus Quirmbach:

    Hallo Markus,

    Not sure how to restart Avira, but you might check for an update for it.  As root at the command line:

    audld.plx  --mode=avira3

    This might have to do with cssd instead of Avira.  Is either eating up resources in top?

    Please come back and tell us what Sophos Support had to say about this.

    Cheers - Bob

  • In reply to BAlfson:

    Hi All!

    Sorry for the late reply - we have been quite busy.

    The UTM mentioned does not belong to us but to one of our customers. I am not involved in the support process with Sophos and I do not have any support contact details, so I do not correspondent with the Sophos support. Therefore I cannot say what Sophos would say about this topic, sorry.

    I changed the AV Scan Engine to Sophos, but that did not help. The Error now was

    14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] main (cssd.c:407) starting up...
    14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] read_config (cssd.c:116) reading config
    14:42:57 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] main (cssd.c:428) initializing Sophos virus scanner engine
    14:42:58 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] saviscanner_init (saviscanner.c:63) ERROR: Failed to initialise SAVI engine: One of the files in a split-virus data set could not be located [0x8004022d]
    14:42:58 xxx-xxx-xxx [daemon:info] cssd[6043]:  [     (nil)] main (cssd.c:430) unable to initialize Sophos virus scanner, exiting
    14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] main (cssd.c:407) starting up...
    14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] read_config (cssd.c:116) reading config
    14:43:12 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] main (cssd.c:428) initializing Sophos virus scanner engine
    14:43:13 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] saviscanner_init (saviscanner.c:63) ERROR: Failed to initialise SAVI engine: One of the files in a split-virus data set could not be located [0x8004022d]
    14:43:13 xxx-xxx-xxx [daemon:info] cssd[6144]:  [     (nil)] main (cssd.c:430) unable to initialize Sophos virus scanner, exiting
    14:43:42 xxx-xxx-xxx [daemon:info] cssd[6406]:  [     (nil)] main (cssd.c:407) starting up...

    and so on in the fallback-log.

    However, after I changed back to Avira it seems to work!

    We have this now active - with Avira, without errors -  for one of the testing websites and will activate it for production at the next maintenance window (since we are not allowed to have those websites get down in the case it still would not work).

    Thanks all for your help and replies!

      Markus

  • In reply to Markus Quirmbach:

    Sehr interessant, Markus.  Since switching from/to Avira seemed to fix your issue, I wonder if rebuilding the PostgreSQL databases would have resolved this.  Could you ask your support person that dealt with this issue to ask Sophos Support that question?

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,

    I'm really sorry for the late reply.

    On the topic: I'm afraid Nobody contacted the Sophos support, since

    1. the aforementioned action solved the issue and
    2. the UTM was replaced soon afterwards anyway

    The latter was planed a couple of weeks ago, to replace the single SG450 with a SG310 cluster. So no one looked into this after that. But the days between the issue and the replacement of the new UTM it was very important to get the problem resolved, and we are glad the switching of the AV engines helped.

    Thanks everyone!

    Markus