Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV update failed - broken all web access when malware enabled - This keeps happening

I have had this problem a few times before, and the only way I've been able to fix it is to completely re-image the device and restore from backup.  Until this issue is fixed, there must be an easier way.

 

This has been shown in a previous thread - https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/86815/proxy-broken-with-latest-malware-av-pattern-update---lost-all-web-access/321434#321434

 

I have malware enabled on my FW rule to handle endpoints, using the sophos engine.  Sometimes the sophos AV pattern update fails.  When this happens, it breaks access to the web, with the proxy returning a 500 response to all requests.

If I remove malware checking from the FW rule and/or change the malware engine - it fixes web access.   However, I cannot get the sophos AV to update, and thus remains broken.

 

I am currently on SFOS 16.05.0 GA

The most recent patten update showing the following....

Sophos AV
1.0.10583
-
20:56:17, Mar 02 2017
Failed

This is the tail from the up2date_av.log

2017-03-05 04:56:31 AM: applying incremental update update
2017-03-05 04:56:31 AM: updating /sdisk/savi/engine signatures
2017-03-05 04:56:31 AM: updating /sdisk/savi/vdl signatures
2017-03-05 04:56:33 AM: New savi full update Failed
2017-03-05 06:56:31 AM: Got the lock for updating savi (savi_10576-10596.tar.gz
)
2017-03-05 06:56:31 AM: applying incremental update update
2017-03-05 06:56:31 AM: updating /sdisk/savi/engine signatures
2017-03-05 06:56:31 AM: updating /sdisk/savi/vdl signatures
2017-03-05 06:56:33 AM: New savi full update Failed
2017-03-05 08:56:31 AM: Got the lock for updating savi (savi_10577-10597.tar.gz
)
2017-03-05 08:56:31 AM: applying incremental update update
2017-03-05 08:56:31 AM: updating /sdisk/savi/engine signatures
2017-03-05 08:56:31 AM: updating /sdisk/savi/vdl signatures
2017-03-05 08:56:34 AM: New savi full update Failed
2017-03-05 10:56:31 AM: Got the lock for updating savi (savi_10577-10597.tar.gz
)
2017-03-05 10:56:31 AM: applying incremental update update
2017-03-05 10:56:31 AM: updating /sdisk/savi/engine signatures
2017-03-05 10:56:31 AM: updating /sdisk/savi/vdl signatures
2017-03-05 10:56:33 AM: New savi full update Failed
2017-03-05 12:56:30 PM: Got the lock for updating savi (savi_10577-10597.tar.gz
)
2017-03-05 12:56:30 PM: applying incremental update update
2017-03-05 12:56:30 PM: updating /sdisk/savi/engine signatures
2017-03-05 12:56:31 PM: updating /sdisk/savi/vdl signatures
2017-03-05 12:56:33 PM: New savi full update Failed

 

Is there a way to clear the current AV pattern so it can update, without the need to reinstall the image????  This happens at least once a month and is causing real issues.

 

Any help greatly appreciated.

 



This thread was automatically locked due to age.
Parents
  • Michael,

    this should not occur one per month. Something is broken on your appliance. In my case, it happened 2 times this year. Did you try to rename the folder as suggested from this thread?

    https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/73626/avira-up2date-error-is-there-any-solution#pi2132219853=4

    If it does not work, open a ticket with Support.

    Regards

  • Hi lferrara...

    I've read the thread as well as my original thread.

    Looking more into the logs - it does seem to be the exact same problem I had last time....

    Sun Mar 05 16:56:31 2017 Download for file savi_1.00_1.0.10599_fdiff20.tar.gz.g
    pg passed integrity and gpg checks
    Sun Mar 05 16:56:31 2017 Either FILE or MSID received in U2DVERSION is blank, s
    avi_10579-10599.tar.gz,
    Sun Mar 05 16:56:31 2017 Current savi patterns are at /content/savi_1.00/1.0.10
    583
    Sun Mar 05 16:56:31 2017 New updated patterns are now at /content/savi_1.00/1.
    0.10599
    Sun Mar 05 16:56:33 2017 Callback u2d_pt_installed failed for savi, version = 1
    .0.10599.
    Sun Mar 05 16:56:33 2017 Setting status 'fail' in DB and reverting link for sav
    i to old version = 1.0.10583.
    Sun Mar 05 16:56:33 2017 savi patterns are again at /content/savi_1.00/1.0.1058
    3

    You mentioned last time to rename the content folder (At least I think). I hate to be a pain, but  can you be explicit in what folder to rename - and to what?

    Only because last time I renamed the folder, it killed my whole platform and I had to re-image - so clearly I misunderstood something. 

    Here is the listing of my /contents/savi_1.00/

     

    SFVH_SO01_SFOS 16.05.0 GA# cat U2DVERSION

    FILE=savi_10582-10583.tar.gz

    CV=1.00

    VERSION=1.0.10583

    TYPE=immdiff

    MSID=

    SFVH_SO01_SFOS 16.05.0 GA# cd ..

    SFVH_SO01_SFOS 16.05.0 GA# cd savi_1.00/

    SFVH_SO01_SFOS 16.05.0 GA# ls -l

    drwxr-xr-x    2 root     0             1024 Mar  2 20:55 1.0.10583

    drwxr-xr-x    2 root     0             1024 Mar  3 02:56 1.0.10584

    drwxr-xr-x    2 root     0             1024 Mar  3 06:56 1.0.10585

    drwxr-xr-x    2 root     0             1024 Mar  3 08:56 1.0.10586

    drwxr-xr-x    2 root     0             1024 Mar  3 12:55 1.0.10587

    drwxr-xr-x    2 root     0             1024 Mar  3 18:55 1.0.10588

    drwxr-xr-x    2 root     0             1024 Mar  3 22:55 1.0.10589

    drwxr-xr-x    2 root     0             1024 Mar  4 04:56 1.0.10590

    drwxr-xr-x    2 root     0             1024 Mar  4 08:56 1.0.10591

    drwxr-xr-x    2 root     0             1024 Mar  4 16:55 1.0.10592

    drwxr-xr-x    2 root     0             1024 Mar  4 20:56 1.0.10593

    drwxr-xr-x    2 root     0             1024 Mar  5 00:56 1.0.10594

    drwxr-xr-x    2 root     0             1024 Mar  5 04:56 1.0.10595

    drwxr-xr-x    2 root     0             1024 Mar  5 06:56 1.0.10596

    drwxr-xr-x    2 root     0             1024 Mar  5 14:56 1.0.10597

    drwxr-xr-x    2 root     0             1024 Mar  5 16:56 1.0.10599

    SFVH_SO01_SFOS 16.05.0 GA#

     

    Thanks again for all your help!

     

    - Mike

  • "mv /content/u2d/pattern /content/u2d/pattern.org
    This will rename the pattern file to pattern.org.
    Now update the pattern files with the GUI using System > Administration > Updates.
    Give the firewall some time to succeed the update process."

    From the thread.

    It worked for me last time without break XG.

  • Thanks heaps for the quick reply - I'll try tonight and report results.

Reply Children