Antivirus problems since update to 9.705

SInce I updated from 9.703 to 9.705 my Webserver protection is going nuts.

Hundreds of repeating entries like this:

httpd[4958]: [avscan:error] [pid 4958:tid 3951270768] [client 2.3.9.4:9418] [4958] virus daemon error found in request /_matrix/client/r0/rooms/!skENoWILkfnJIfZBKC:met/read_markers
httpd[4958]: [avscan:notice] [pid 4958:tid 3951270768] [client 2.3.9.4:9418] mod_avscan_input_filter: virus found or MIME type blocked
httpd[4958]: [proxy_http:error] [pid 4958:tid 3951270768] (13)Permission denied: [client 2.3.9.4:9418] AH01095: prefetch request body failed to 10.0.0.10:443 from 2.3.9.4 ()
Fallback log shows this:
[daemon:info] cssd[10105]: [0xf5a523e0] scan_file (saviscanner.c:400) One of the files in a split-virus data set could not be located [0x8004022d]
If I select dual scan engine, nothing works and all Web Servers serve 403 forbidden.
If I restrict Antivirus to "Upload only" and to single scan with Sophos engine, it somehow works most of the time, but I still get the log entries as above. For some Web services I had to switch off Antivirus completely to make it work.
Also lots of core dumps (mostly confd.plx) since I use the new version.
With version 9.703 everything worked perfectly.
What went wrong?
Parents
  • Hallo Edmund,

    This is not a problem I've seen elsewhere here.  Have you tried restoring the backup made just prior to Up2Dating from 9.703?  If that doesn't work, does a reboot solve this?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, thanks for your answer.

    I was busy with other things the last days, but I will start to collect logs and dumps in the next days.

    Reboot will help only for a couple of hours.
    I will try to restore the 9.703 backup.

    Does a restore cleanup the antivirus engine files as well? I had a lot of crashing of cssd.

  • In rare situations, Edmund, an Up2Date will corrupt a configuration, hence the suggestion to try restoring the pre-Up2Date backup.  If that doesn't work, a possible, rarer problem is an Up2Date "breaks" something that's not a part of the configuration backup, and the only solution I've seen is re-imaging from ISO and restoring a backup.  I've successfully used WinSCP to get logs off a machine that was "broken" by the 9.702-2 Up2Date and then loaded them back onto the newly re-imaged machine.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • In rare situations, Edmund, an Up2Date will corrupt a configuration, hence the suggestion to try restoring the pre-Up2Date backup.  If that doesn't work, a possible, rarer problem is an Up2Date "breaks" something that's not a part of the configuration backup, and the only solution I've seen is re-imaging from ISO and restoring a backup.  I've successfully used WinSCP to get logs off a machine that was "broken" by the 9.702-2 Up2Date and then loaded them back onto the newly re-imaged machine.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data