This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus Hits not logged anymore

Hi All,


As recently as December, viruses caught via the web proxy on my UTM appliance (9.353-4; ASG320) showed up in the proxy log with a nicely searchable "virus detected" name label. I was able to dredge them up, check referrers and such and start to create a nice list of ad sites to block.

For reasons I don't understand, this no longer seems to happen. I see in the Daily Executive Report for a day in January that there were 4 viruses blocked via the web proxy - but I can't find any log entries for the event! i can grep for "virus" and nothing is found. Other than adding domains to the Malicious site category (via Web Protection >> Filtering Options >> Websites), I haven't made any configuration changes.

Is this a bug? Is the Exec Rpt lying to me?



This thread was automatically locked due to age.
  • Hi,

    As I understand the "Executive Report" is based on the log files. When the report shows that a virus was found, there must be also an entry in the logfiles.

    What happens when you try to download the EICAR test virus via secure.eicar.org/eicar.com ? In my case the logfile shows a "virus detected" entry and also the "Executive Report". When I disable "Log blocked pages" in the filter action of my web proxy, the virus is still blocked, but the log and the "Executive Report" have no entries about found viruses.

    Jas Man

  • Thanks, Jas Man.

    I pulled the zip file version and did what you suggested. The event was logged just fine.

    In the course of looking at, a thought occurred to me - I had to turn off the dual scan for a few weeks because the processor went thru the roof a little while ago for no good reason. When I dropped to single pass, the processor calmed down. The single scan was using the Sophos engine, meaning the second one was Avira and unused when the virus hit I'm trying to find had occurred. I've since turned the dual scan back up, assuming that there was some sort of messed up signature that was freaking out the non-Sophos engine (it's back to normal now). When I ran the test you suggested, the log line was added and the engine was "SAVI" (Avira).

    So maybe the problem is that the Sophos hits don't log correctly. Idk. I can grep for "virus detected" on the log I just created and the hit is found right away. If I do the same for the day where the Sophos-only detection occurred (hell, I can run it for the whole month and get the same result), I get nothing.

    I tried to enable single scan and select Sophos, re-downloaded the virus test file, and the engine reported in the log is still "SAVI." So I don't know if "SAVI" means some combo of the two engines (if so, then why enter the engine at all if it'll always be the same?!) - or if the attempt to force a Sophos-only operation didn't work (or I didn't wait long enough).

    Regardless, I think I can safely stop worrying about the logs not showing up. Thanks much.

  • Interesting!  Do you also use UTM Endpoint on the device and do you have things configured so that things aren't scanned both on the UTM and the client?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No. We use ESET on the endpoints in order to get a "defense in depth" benefit. There were no notifications on the day in question from the endpoints.

    Related side-question - please advise if this should be a different topic.... how can you find the log lines noting where malware has been detected and blocked by the firewall? With a few-hundred thousand lines a day, it's hard to go line by line to look for an example alert. I tried searching for "malware", but that doesn't work.

  • SAVI is Sophos Anti-VIrus.  Avira is listed as "Avira" in the logs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks. I understand the names now.

    In the meantime, the report for yesterday shows 2 viruses were blocked. See the below snippet from the report.

    I downloaded the web filtering log, decompressed and searched for "virus detected". The result was 1 line, not 2. Below is that solo log line. For obvious reasons, it's really helpful to see these darn log entries!!!

    2016:03:07-13:06:36 wall-1 httpproxy[2045]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="192.168.0.58" dstip="107.178.115.110" user="teller" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2673" request="0xdcf6c000" url="www.underbert.net/.../index.html" referer="" error="" authtime="6" dnstime="35268" cattime="10770" avscantime="275730" fullreqtime="853552" device="0" auth="1" ua="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States" content-type="text/html" virus="Mal/Phish-A" engine="SAVI"