very long email bypasses AV Scan?

Hello,

i saw this Error Message in the logfiles of a UTM 9.711-5. I assume that very long email-adresses throw this error and therefore bypasses the AV-Scan?

2022:08:17-01:10:33 amg-2 [daemon:info] cssd[5717]:  [0xe810ab18] scan_part (saviscanner.c:478) Failed to create temp file : err'File name too long' , message id [loqrvrgAvXpSWphzrC2nw2Ul3yOsNCNjJPMa0TBmGR4t6cSoFLB1EmdxLSPoltyV9aW0Tncq46J18sfE3HwxTzVuiBItU7fT71JReL89IIhgb3p5-y03t48b1rnfh26t7mejdcl3ago0jazjujdeecf5tta1l7ljjpsnr4gsbvikw8ughykl0qgj9haleluo0c1i7808u9ig73mfr309cz9m-o3CmhOCf1Dz9Y8yIdkW8iH5QGk1C8nLC2dOaRggIKFIyD67GhUEprA5YKXrJb2b46P4OWanxFVW9STGZEbeVBaKbY1LZoq-sihw-d26z-bmdkvy47cloy2vwrnEYPKxtmjMUQsOuePHCltokc8Q1CR6oj7YkVQWLzyvgQaAVP8n0sBbuzRm2zjgIg5T2LFDb4ZhLZIwFHJwZbxkBfwtFFAdMwXE7t89oYhZOPmGVa45ahh1sb26hi9uurd9tzmmhlxgl69p0wd72kylmrht0gekxhkg6xte8hkkdjz3620zdpap7h9xne8bliii51m48xec7464xwt0cpbtsm-587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.g91gxfkvgw4o40ghvf40i2uewh1f83ze3qlrvvd2h7hcyojjte916t5s1wyzqn4k@DUMTWGYUMALWHSKKSEIGBWARNTDXPLTTFFMBMLWYLIUTAFESJMZKIZCWSGUIROBXTNZGZVFKDZEDEIWOVWYEWBBPHVus-939814834-2.587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.co.uk] : creating new id

Greetings and have a nice day...

Parents
  • Hello ,

    Thank you for reaching out to the community, can you please share the following output:

    1.) ll /var/storage/cores/
    2.) tail -f /var/log/sandboxd.log
    3.) tail -f /var/log/fallback.log

    Is this your virtual appliance or hardware appliance ?

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 1.) ll /var/storage/cores/

    total 2187784
    -rw-r--r-- 1 root root 2240286720 Jun 20 00:27 postgres.31881

    2.) tail -f /var/log/sandboxd.log
    tail: cannot open `/var/log/sandboxd.log' for reading: No such file or directory

    3.) tail -f /var/log/fallback.log
    022:08:17-14:38:01 amg-2 [user:notice] cluster_sync[9639]:
    2022:08:17-14:38:01 amg-2 [user:notice] cluster_sync[9639]: ### handle 'cluster-distribution'
    2022:08:17-14:38:01 amg-2 [user:notice] cluster_sync[9639]: done without errors
    2022:08:17-14:38:30 amg-1 [daemon:info] cssd[5726]: [0xf40707d0] scan_part (saviscanner.c:478) Failed to create temp file : err'No such file or directory' , message id [E5-2azgtx48-nr232/2/1003362-00cfe19r@****.net] : creating new id
    2022:08:17-14:38:30 amg-1 [daemon:info] cssd[5726]: [0xf40707d0] scan_part (saviscanner.c:478) Failed to create temp file : err'No such file or directory' , message id [E5-2azgtx48-nr232/2/1003362-00cfe19r@****.net] : creating new id
    2022:08:17-14:38:30 amg-1 [daemon:info] cssd[5726]: [0xf40707d0] scan_part (saviscanner.c:478) Failed to create temp file : err'No such file or directory' , message id [E5-2azgtx48-nr232/2/1003362-00cfe19r@****.net] : creating new id
    2022:08:17-14:39:01 amg-1 [daemon:notice] ad-sync.plx[12477]: [ad-sync] started
    2022:08:17-14:39:01 amg-1 [daemon:warning] ad-sync.plx[12477]: [ad-sync] Web filtering is disabled, exiting now
    2022:08:17-14:39:01 amg-2 [daemon:notice] ad-sync.plx[9849]: [ad-sync] started
    2022:08:17-14:39:01 amg-2 [daemon:warning] ad-sync.plx[9849]: [ad-sync] not Standalone or Master in HA/Cluster mode, exiting now

  • Hey
    Can you share the file output with the following outputs:
    cat /var/log/sandboxd.log
    cat /var/log/fallback.log

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi,  there is no sandboxd.log-File

    the correspondig section from the fallback.log is here:

    2022:08:17-01:07:45 amg-2 [user:notice] cluster_sync[25007]:  198.19.250.2 -> 198.19.250.1 
    2022:08:17-01:07:45 amg-2 [user:notice] cluster_sync[25007]:  rsync --sockopts=SO_KEEPALIVE --archive --protect-args --relative --no-implied-dirs /etc/ha/asg_2 ClusterSyncUser@198.19.250.1::cluster_sync/ 
    2022:08:17-01:07:45 amg-2 [user:notice] cluster_sync[25007]:   
    2022:08:17-01:07:45 amg-2 [user:notice] cluster_sync[25007]:  ### handle 'mail-spool' 
    2022:08:17-01:07:45 amg-2 [user:notice] cluster_sync[25007]:  198.19.250.2 -> 198.19.250.1 
    2022:08:17-01:07:45 amg-2 [user:notice] cluster_sync[25007]:  rsync --sockopts=SO_KEEPALIVE --archive --protect-args --delete --relative --no-implied-dirs /var/storage/chroot-smtp/spool/quarantine/2 /var/storage/chroot-smtp/spool/output/2 /var/storage/chroot-smtp/spool/error/2 ClusterSyncUser@198.19.250.1::cluster_sync/ 
    2022:08:17-01:07:47 amg-2 [user:notice] cluster_sync[25007]:   
    2022:08:17-01:07:47 amg-2 [user:notice] cluster_sync[25007]:  ### handle 'mail-spx' 
    2022:08:17-01:07:47 amg-2 [user:notice] cluster_sync[25007]:  no source path(s), do nothing 
    2022:08:17-01:07:47 amg-2 [user:notice] cluster_sync[25007]:  ### handle 'mail-smime' 
    2022:08:17-01:07:47 amg-2 [user:notice] cluster_sync[25007]:  ### handle 'cluster-distribution' 
    2022:08:17-01:07:47 amg-2 [user:notice] cluster_sync[25007]:  no source path(s), do nothing 
    2022:08:17-01:07:47 amg-2 [user:notice] cluster_sync[25007]:  done without errors 
    2022:08:17-01:10:33 amg-2 [daemon:info] cssd[5717]:  [0xe810ab18] scan_part (saviscanner.c:478) Failed to create temp file : err'File name too long' , message id [loqrvrgAvXpSWphzrC2nw2Ul3yOsNCNjJPMa0TBmGR4t6cSoFLB1EmdxLSPoltyV9aW0Tncq46J18sfE3HwxTzVuiBItU7fT71JReL89IIhgb3p5-y03t48b1rnfh26t7mejdcl3ago0jazjujdeecf5tta1l7ljjpsnr4gsbvikw8ughykl0qgj9haleluo0c1i7808u9ig73mfr309cz9m-o3CmhOCf1Dz9Y8yIdkW8iH5QGk1C8nLC2dOaRggIKFIyD67GhUEprA5YKXrJb2b46P4OWanxFVW9STGZEbeVBaKbY1LZoq-sihw-d26z-bmdkvy47cloy2vwrnEYPKxtmjMUQsOuePHCltokc8Q1CR6oj7YkVQWLzyvgQaAVP8n0sBbuzRm2zjgIg5T2LFDb4ZhLZIwFHJwZbxkBfwtFFAdMwXE7t89oYhZOPmGVa45ahh1sb26hi9uurd9tzmmhlxgl69p0wd72kylmrht0gekxhkg6xte8hkkdjz3620zdpap7h9xne8bliii51m48xec7464xwt0cpbtsm-587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.g91gxfkvgw4o40ghvf40i2uewh1f83ze3qlrvvd2h7hcyojjte916t5s1wyzqn4k@DUMTWGYUMALWHSKKSEIGBWARNTDXPLTTFFMBMLWYLIUTAFESJMZKIZCWSGUIROBXTNZGZVFKDZEDEIWOVWYEWBBPHVus-939814834-2.587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.co.uk] : creating new id
    2022:08:17-01:10:33 amg-2 [daemon:info] cssd[5717]:  [0xe810ab18] scan_part (saviscanner.c:478) Failed to create temp file : err'File name too long' , message id [loqrvrgAvXpSWphzrC2nw2Ul3yOsNCNjJPMa0TBmGR4t6cSoFLB1EmdxLSPoltyV9aW0Tncq46J18sfE3HwxTzVuiBItU7fT71JReL89IIhgb3p5-y03t48b1rnfh26t7mejdcl3ago0jazjujdeecf5tta1l7ljjpsnr4gsbvikw8ughykl0qgj9haleluo0c1i7808u9ig73mfr309cz9m-o3CmhOCf1Dz9Y8yIdkW8iH5QGk1C8nLC2dOaRggIKFIyD67GhUEprA5YKXrJb2b46P4OWanxFVW9STGZEbeVBaKbY1LZoq-sihw-d26z-bmdkvy47cloy2vwrnEYPKxtmjMUQsOuePHCltokc8Q1CR6oj7YkVQWLzyvgQaAVP8n0sBbuzRm2zjgIg5T2LFDb4ZhLZIwFHJwZbxkBfwtFFAdMwXE7t89oYhZOPmGVa45ahh1sb26hi9uurd9tzmmhlxgl69p0wd72kylmrht0gekxhkg6xte8hkkdjz3620zdpap7h9xne8bliii51m48xec7464xwt0cpbtsm-587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.g91gxfkvgw4o40ghvf40i2uewh1f83ze3qlrvvd2h7hcyojjte916t5s1wyzqn4k@DUMTWGYUMALWHSKKSEIGBWARNTDXPLTTFFMBMLWYLIUTAFESJMZKIZCWSGUIROBXTNZGZVFKDZEDEIWOVWYEWBBPHVus-939814834-2.587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.co.uk] : creating new id
    2022:08:17-01:10:33 amg-2 [daemon:info] cssd[5717]:  [0xe810ab18] scan_part (saviscanner.c:478) Failed to create temp file : err'File name too long' , message id [loqrvrgAvXpSWphzrC2nw2Ul3yOsNCNjJPMa0TBmGR4t6cSoFLB1EmdxLSPoltyV9aW0Tncq46J18sfE3HwxTzVuiBItU7fT71JReL89IIhgb3p5-y03t48b1rnfh26t7mejdcl3ago0jazjujdeecf5tta1l7ljjpsnr4gsbvikw8ughykl0qgj9haleluo0c1i7808u9ig73mfr309cz9m-o3CmhOCf1Dz9Y8yIdkW8iH5QGk1C8nLC2dOaRggIKFIyD67GhUEprA5YKXrJb2b46P4OWanxFVW9STGZEbeVBaKbY1LZoq-sihw-d26z-bmdkvy47cloy2vwrnEYPKxtmjMUQsOuePHCltokc8Q1CR6oj7YkVQWLzyvgQaAVP8n0sBbuzRm2zjgIg5T2LFDb4ZhLZIwFHJwZbxkBfwtFFAdMwXE7t89oYhZOPmGVa45ahh1sb26hi9uurd9tzmmhlxgl69p0wd72kylmrht0gekxhkg6xte8hkkdjz3620zdpap7h9xne8bliii51m48xec7464xwt0cpbtsm-587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.g91gxfkvgw4o40ghvf40i2uewh1f83ze3qlrvvd2h7hcyojjte916t5s1wyzqn4k@DUMTWGYUMALWHSKKSEIGBWARNTDXPLTTFFMBMLWYLIUTAFESJMZKIZCWSGUIROBXTNZGZVFKDZEDEIWOVWYEWBBPHVus-939814834-2.587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.co.uk] : creating new id
    2022:08:17-01:10:33 amg-2 [daemon:info] cssd[5717]:  [0xe810ab18] scan_part (saviscanner.c:478) Failed to create temp file : err'File name too long' , message id [loqrvrgAvXpSWphzrC2nw2Ul3yOsNCNjJPMa0TBmGR4t6cSoFLB1EmdxLSPoltyV9aW0Tncq46J18sfE3HwxTzVuiBItU7fT71JReL89IIhgb3p5-y03t48b1rnfh26t7mejdcl3ago0jazjujdeecf5tta1l7ljjpsnr4gsbvikw8ughykl0qgj9haleluo0c1i7808u9ig73mfr309cz9m-o3CmhOCf1Dz9Y8yIdkW8iH5QGk1C8nLC2dOaRggIKFIyD67GhUEprA5YKXrJb2b46P4OWanxFVW9STGZEbeVBaKbY1LZoq-sihw-d26z-bmdkvy47cloy2vwrnEYPKxtmjMUQsOuePHCltokc8Q1CR6oj7YkVQWLzyvgQaAVP8n0sBbuzRm2zjgIg5T2LFDb4ZhLZIwFHJwZbxkBfwtFFAdMwXE7t89oYhZOPmGVa45ahh1sb26hi9uurd9tzmmhlxgl69p0wd72kylmrht0gekxhkg6xte8hkkdjz3620zdpap7h9xne8bliii51m48xec7464xwt0cpbtsm-587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.g91gxfkvgw4o40ghvf40i2uewh1f83ze3qlrvvd2h7hcyojjte916t5s1wyzqn4k@DUMTWGYUMALWHSKKSEIGBWARNTDXPLTTFFMBMLWYLIUTAFESJMZKIZCWSGUIROBXTNZGZVFKDZEDEIWOVWYEWBBPHVus-939814834-2.587509738316235341520569473318976736710542266790853819867299096660341395612291277568545264273940974.co.uk] : creating new id
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  Args = , called by  4499 /usr/local/bin/ha_daemon 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  ### handle 'up2date-sys' 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  ### handle 'up2date-pattern' 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  ### handle 'cluster-basic' 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  ### handle 'dhcpd-leases' 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  ### handle 'logfiles' 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  ### handle 'sandstorm_rrd' 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  ### handle 'reporting' 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  198.19.250.1 -> 198.19.250.2 
    2022:08:17-01:12:27 amg-1 [user:notice] cluster_sync[16060]:  rsync --sockopts=SO_KEEPALIVE --archive --protect-args --delete /var/log/reporting/images/ ClusterSyncUser@198.19.250.2::cluster_sync/var/chroot-httpd/var/log/reporting/images_1 

  •  are you using any regex expression under the Antispam> Expression Filer in the Global profile ?

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • it fails to create the file, so I would suggest try reducing the length and then check !! 
    Or add it individually !!

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • you mean the expression above? i deleted it and will monitor the logfile... thanks for your help.

  • Sure, please revert with your feedback after observation !! You're welcome !

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data