Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV update failed - broken all web access when malware enabled - This keeps happening

I have had this problem a few times before, and the only way I've been able to fix it is to completely re-image the device and restore from backup.  Until this issue is fixed, there must be an easier way.

 

This has been shown in a previous thread - https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/86815/proxy-broken-with-latest-malware-av-pattern-update---lost-all-web-access/321434#321434

 

I have malware enabled on my FW rule to handle endpoints, using the sophos engine.  Sometimes the sophos AV pattern update fails.  When this happens, it breaks access to the web, with the proxy returning a 500 response to all requests.

If I remove malware checking from the FW rule and/or change the malware engine - it fixes web access.   However, I cannot get the sophos AV to update, and thus remains broken.

 

I am currently on SFOS 16.05.0 GA

The most recent patten update showing the following....

Sophos AV
1.0.10583
-
20:56:17, Mar 02 2017
Failed

This is the tail from the up2date_av.log

2017-03-05 04:56:31 AM: applying incremental update update
2017-03-05 04:56:31 AM: updating /sdisk/savi/engine signatures
2017-03-05 04:56:31 AM: updating /sdisk/savi/vdl signatures
2017-03-05 04:56:33 AM: New savi full update Failed
2017-03-05 06:56:31 AM: Got the lock for updating savi (savi_10576-10596.tar.gz
)
2017-03-05 06:56:31 AM: applying incremental update update
2017-03-05 06:56:31 AM: updating /sdisk/savi/engine signatures
2017-03-05 06:56:31 AM: updating /sdisk/savi/vdl signatures
2017-03-05 06:56:33 AM: New savi full update Failed
2017-03-05 08:56:31 AM: Got the lock for updating savi (savi_10577-10597.tar.gz
)
2017-03-05 08:56:31 AM: applying incremental update update
2017-03-05 08:56:31 AM: updating /sdisk/savi/engine signatures
2017-03-05 08:56:31 AM: updating /sdisk/savi/vdl signatures
2017-03-05 08:56:34 AM: New savi full update Failed
2017-03-05 10:56:31 AM: Got the lock for updating savi (savi_10577-10597.tar.gz
)
2017-03-05 10:56:31 AM: applying incremental update update
2017-03-05 10:56:31 AM: updating /sdisk/savi/engine signatures
2017-03-05 10:56:31 AM: updating /sdisk/savi/vdl signatures
2017-03-05 10:56:33 AM: New savi full update Failed
2017-03-05 12:56:30 PM: Got the lock for updating savi (savi_10577-10597.tar.gz
)
2017-03-05 12:56:30 PM: applying incremental update update
2017-03-05 12:56:30 PM: updating /sdisk/savi/engine signatures
2017-03-05 12:56:31 PM: updating /sdisk/savi/vdl signatures
2017-03-05 12:56:33 PM: New savi full update Failed

 

Is there a way to clear the current AV pattern so it can update, without the need to reinstall the image????  This happens at least once a month and is causing real issues.

 

Any help greatly appreciated.

 



This thread was automatically locked due to age.
Parents
  • Michael,

    this should not occur one per month. Something is broken on your appliance. In my case, it happened 2 times this year. Did you try to rename the folder as suggested from this thread?

    https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/73626/avira-up2date-error-is-there-any-solution#pi2132219853=4

    If it does not work, open a ticket with Support.

    Regards

  • I struggled with this exact issue for a while, and NONE of the other suggestions have worked. What I did, was a bit of a "Hail Mary", but it actually fixed mine. I'm running my XG 17.5.9 MR-9 as of December 31, 2019 as a Virtual Machine on ESXi.  With that being said the first thing I did was take a clone of my VM. Since my Avira and Sophos AV Pattern's would NOT update what so ever, I read through a bunch of articles stating to rename the pattern directory to pattern.org. Since that didn't work, I poked around the file system, and actually removed the following directories with rm -rf /var/avira4 AND rm -rf /var/savi  Rebooted the system (remember I took a clone / snapshot of the vm before doing anything just to be safe), and voila! Both Sophos, and Avira directories re-generated automatically AND my patterns started updating. My AV Service is now running properly!!

    I hope this little tidbit helps the next person that comes across this seemingly common issue. Way nicer than having to do a full re-install of the Sophos XG. But PLEASE MAKE SURE YOU HAVE A SNAPSHOT / CLONE / WORKING BACKUP that you can fallback to just incase.

Reply
  • I struggled with this exact issue for a while, and NONE of the other suggestions have worked. What I did, was a bit of a "Hail Mary", but it actually fixed mine. I'm running my XG 17.5.9 MR-9 as of December 31, 2019 as a Virtual Machine on ESXi.  With that being said the first thing I did was take a clone of my VM. Since my Avira and Sophos AV Pattern's would NOT update what so ever, I read through a bunch of articles stating to rename the pattern directory to pattern.org. Since that didn't work, I poked around the file system, and actually removed the following directories with rm -rf /var/avira4 AND rm -rf /var/savi  Rebooted the system (remember I took a clone / snapshot of the vm before doing anything just to be safe), and voila! Both Sophos, and Avira directories re-generated automatically AND my patterns started updating. My AV Service is now running properly!!

    I hope this little tidbit helps the next person that comes across this seemingly common issue. Way nicer than having to do a full re-install of the Sophos XG. But PLEASE MAKE SURE YOU HAVE A SNAPSHOT / CLONE / WORKING BACKUP that you can fallback to just incase.

Children
  • This helped me.

    I have 2x XG230 in HA active-passive.

    Antivirus services stopeed without any reason. Pattern updates for Sophos AV and Avira AV were FAILED few days.

    Outgoing emails  were stucked in queue because it was unable to do antivius scaning.

    Web proxy was denying some of traffice because it was unable to do antivius scaning.

     

    For me this was enough to mae it work:

    SSH to advanced shell on XG firewall

    rm -rf /var/avira4

    rm -rf /var/savi 

    (no restart, no HA change)

     

    Later Antivirus service was automaticly started.

    I run Pattern update and it worked.

    Emails from queue was delivered.

     

     

    12:22 Edit:

     Only Avira service is OK and pattern updates for Avira are OK.

    Sophos AV patterns are still failed.

    But emails are working

  • Hi  

    The recent issue which you faced and observed is may be related to NC-58941

    Please find the below KBA:

    https://community.sophos.com/kb/en-us/135351

    If you are still having this issue and you are running with V17 then you may log a support case to apply the patch on your appliance.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • the best way to solve this problem without contact support 

    1- upgrade to last 18 version (from 17.5 mr10)

    2-

    1. From the advanced shell:
      • /scripts/av_version_change.sh savi
      • /scripts/av_version_change.sh avira
    2. Then initiate a pattern update from the GUI

    if you want to back again 

    3- downgrade to 17.5 m10 again 

     

    4- you can upgrade to 17.5 march 11 

     

    5 - you also can restore backup to be sure everything is ok