This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help analyzing WAF / reverse proxy log

jkm005 over 6 years ago

One user is generating Antivirus Daemon Error's in our Web Protection Log. About 30.000 a day.

Same rule is used for OWA - errors seems to come only from ActiveSync client.

I would like to understand what causes these Daemon Errors- Guess I need to be pointed in the right log direction :)

Thank you.

This thread was automatically locked due to age.

0 lferrara over 6 years ago

tail –f /log/reverseproxy.log

Did you try this command from advanced shell?
- 0 jkm005 over 6 years ago in reply to lferrara
  
  Thanks!
  
  It doesn't give me much more understanding, but this is what I see:
  
  [avscan:error] [pid 24125:tid 120565068830464] [25125]nvirus daemon error found in request /Microsoft-Server-ActiveSync method="POST" statuscode="403" reason="Antivirus" extra="daemon error"
  - 0 lferrara over 6 years ago in reply to jkm005
    
    Reason is the antivirus. Try to uncheck antivirus scanning. Regards
  - 0 jkm005 over 6 years ago in reply to lferrara
    
    Thanks again :)
    
    So I made an exception to path /Microsoft-Server-ActiveSync? comming for this source IP, skip antivirus. Still we get this:
    
    /Microsoft-Server-ActiveSync
    
    Antivirus
    
    daemon err
  - 0 lferrara over 6 years ago in reply to jkm005
    
    Uhm...Is the antivirus correctly updated? Check the Patterns under Backup & Firmware.
    
    Thanks
  - 0 jkm005 over 6 years ago in reply to lferrara
    
    Yes I think it is:
    
    Sophos AV
    
    1.0.14760
    
    -
    
    19:05:51, Oct 25 2019
    
    Success
  - 0 lferrara over 6 years ago in reply to jkm005
    
    Avira?
  - 0 jkm005 over 6 years ago in reply to lferrara
    
    Yes also updated. I did try to switch to that at some point, but it made no difference. I will try to reboot the XG later today (not that I think that will do much, but better try :))
  - 0 lferrara over 6 years ago in reply to jkm005
    
    Ok. Please let us know.
  - 0 jkm005 over 6 years ago in reply to lferrara
    
    The reboot actually may have helped :)
    
    Not one reason="Antivirus" for any clients in 1½ hour. Even deleted the exception.
    
    Thanks!
  - 0 jkm005 over 6 years ago in reply to lferrara
    
    Well that lasted for aprox 72 hours.
    
    Now this is starting again for same client + 2 others :/
  - 0 jkm005 over 6 years ago in reply to lferrara
    
    Actually what we see is that all these Daemon Errors are coming from Huawei devices. Is there something going on with Huawei native mail client perhaps?