Sophos AV update failed - broken all web access when malware enabled - This keeps happening

Question

I have had this problem a few times before, and the only way I've been able to fix it is to completely re-image the device and restore from backup. Until this issue is fixed, there must be an easier way. 
 
 This has been shown in a previous thread - https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/86815/proxy-broken-with-latest-malware-av-pattern-update---lost-all-web-access/321434#321434 
 
 I have malware enabled on my FW rule to handle endpoints, using the sophos engine. Sometimes the sophos AV pattern update fails. When this happens, it breaks access to the web, with the proxy returning a 500 response to all requests. 
 If I remove malware checking from the FW rule and/or change the malware engine - it fixes web access. However, I cannot get the sophos AV to update, and thus remains broken. 
 
 I am currently on SFOS 16.05.0 GA 
 The most recent patten update showing the following....

Sophos AV

1.0.10583

-

20:56:17, Mar 02 2017

Failed

This is the tail from the up2date_av.log 
 2017-03-05 04:56:31 AM: applying incremental update update 2017-03-05 04:56:31 AM: updating /sdisk/savi/engine signatures 2017-03-05 04:56:31 AM: updating /sdisk/savi/vdl signatures 2017-03-05 04:56:33 AM: New savi full update Failed 2017-03-05 06:56:31 AM: Got the lock for updating savi (savi_10576-10596.tar.gz ) 2017-03-05 06:56:31 AM: applying incremental update update 2017-03-05 06:56:31 AM: updating /sdisk/savi/engine signatures 2017-03-05 06:56:31 AM: updating /sdisk/savi/vdl signatures 2017-03-05 06:56:33 AM: New savi full update Failed 2017-03-05 08:56:31 AM: Got the lock for updating savi (savi_10577-10597.tar.gz ) 2017-03-05 08:56:31 AM: applying incremental update update 2017-03-05 08:56:31 AM: updating /sdisk/savi/engine signatures 2017-03-05 08:56:31 AM: updating /sdisk/savi/vdl signatures 2017-03-05 08:56:34 AM: New savi full update Failed 2017-03-05 10:56:31 AM: Got the lock for updating savi (savi_10577-10597.tar.gz ) 2017-03-05 10:56:31 AM: applying incremental update update 2017-03-05 10:56:31 AM: updating /sdisk/savi/engine signatures 2017-03-05 10:56:31 AM: updating /sdisk/savi/vdl signatures 2017-03-05 10:56:33 AM: New savi full update Failed 2017-03-05 12:56:30 PM: Got the lock for updating savi (savi_10577-10597.tar.gz ) 2017-03-05 12:56:30 PM: applying incremental update update 2017-03-05 12:56:30 PM: updating /sdisk/savi/engine signatures 2017-03-05 12:56:31 PM: updating /sdisk/savi/vdl signatures 2017-03-05 12:56:33 PM: New savi full update Failed 
 
 Is there a way to clear the current AV pattern so it can update, without the need to reinstall the image???? This happens at least once a month and is causing real issues. 
 
 Any help greatly appreciated.

lferrara · Accepted Answer

"mv /content/u2d/pattern /content/u2d/pattern.org This will rename the pattern file to pattern.org. Now update the pattern files with the GUI using System > Administration > Updates. Give the firewall some time to succeed the update process." 
 From the thread. 
 It worked for me last time without break XG.

GarryGalon1 · Answer

I struggled with this exact issue for a while, and NONE of the other suggestions have worked. What I did, was a bit of a "Hail Mary", but it actually fixed mine. I'm running my XG 17.5.9 MR-9 as of December 31, 2019 as a Virtual Machine on ESXi. With that being said the first thing I did was take a clone of my VM. Since my Avira and Sophos AV Pattern's would NOT update what so ever, I read through a bunch of articles stating to rename the pattern directory to pattern.org. Since that didn't work, I poked around the file system, and actually removed the following directories with rm -rf /var/avira4 AND rm -rf /var/savi Rebooted the system (remember I took a clone / snapshot of the vm before doing anything just to be safe), and voila! Both Sophos, and Avira directories re-generated automatically AND my patterns started updating. My AV Service is now running properly!! 
 I hope this little tidbit helps the next person that comes across this seemingly common issue. Way nicer than having to do a full re-install of the Sophos XG. But PLEASE MAKE SURE YOU HAVE A SNAPSHOT / CLONE / WORKING BACKUP that you can fallback to just incase.

lferrara · Answer

Michael, 
 this should not occur one per month. Something is broken on your appliance. In my case, it happened 2 times this year. Did you try to rename the folder as suggested from this thread? 
 https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/73626/avira-up2date-error-is-there-any-solution#pi2132219853=4 
 If it does not work, open a ticket with Support. 
 Regards

MartinBozko · Answer

This helped me. 
 I have 2x XG230 in HA active-passive. 
 Antivirus services stopeed without any reason. Pattern updates for Sophos AV and Avira AV were FAILED few days. 
 Outgoing emails were stucked in queue because it was unable to do antivius scaning. 
 Web proxy was denying some of traffice because it was unable to do antivius scaning. 
 
 For me this was enough to mae it work: 
 SSH to advanced shell on XG firewall 
 rm -rf /var/avira4 
 rm -rf /var/savi 
 (no restart, no HA change) 
 
 Later Antivirus service was automaticly started. 
 I run Pattern update and it worked. 
 Emails from queue was delivered.

12:22 Edit: 
 Only Avira service is OK and pattern updates for Avira are OK. 
 Sophos AV patterns are still failed. 
 But emails are working

Vishal_R · Answer

Hi MartinBozko The recent issue which you faced and observed is may be related to NC-58941 Please find the below KBA: https://community.sophos.com/kb/en-us/135351 
 If you are still having this issue and you are running with V17 then you may log a support case to apply the patch on your appliance.