Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 8263 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - Antivirus not working

Jeff x

I can no longer use Filtering->Antivirus, Single Scan, Uploads  in any of my WAF Firewall Profiles. I get the following message on all webpages when I try to access any of the websites:

 

...

Bad Request

Your browser sent a request that this server could not understand.

Error Reason

The request was blocked because an uploaded file contains a virus (daemon connection problem).

...

Below is what I see in the WAF log:

...

2017:01:11-20:34:01 gateway reverseproxy: [Wed Jan 11 20:34:01.810621 2017] [avscan:error] [pid 8737:tid 4021365616] [client 2.2.2.2:51202] [8737] cannot connect: Connection refused (111)
2017:01:11-20:34:01 gateway reverseproxy: [Wed Jan 11 20:34:01.810679 2017] [avscan:error] [pid 8737:tid 4021365616] [client 2.2.2.2:51202] [8737] virus daemon connection problem found in request /support/
2017:01:11-20:34:01 gateway reverseproxy: [Wed Jan 11 20:34:01.810731 2017] [avscan:notice] [pid 8737:tid 4021365616] [client 2.2.2.2:51202] mod_avscan_input_filter: virus found
2017:01:11-20:34:01 gateway reverseproxy: [Wed Jan 11 20:34:01.810752 2017] [proxy_http:error] [pid 8737:tid 4021365616] (13)Permission denied: [client 2.2.2.2:51202] AH01095: prefetch request body failed to 10.10.10.10:443 (10.10.10.10) from 2.2.2.2 ()
2017:01:11-20:34:01 gateway reverseproxy: id="0299" srcip="2.2.2.2" localip="100.100.100.100" size="341" user="-" host="2.2.2.2" method="GET" statuscode="400" reason="av" extra="virus daemon connection problem found" exceptions="-" time="2275" url="/support/" server="www.mysite.com" referer="-" cookie="-" set-cookie="-"

2017:01:11-21:28:26 gateway reverseproxy: [Wed Jan 11 21:28:26.776837 2017] [avscan:error] [pid 7182:tid 3963358064] [client 2.2.2.2:51380] [7182] cannot connect: Connection refused (111)
2017:01:11-21:28:26 gateway reverseproxy: [Wed Jan 11 21:28:26.777052 2017] [avscan:error] [pid 7182:tid 3963358064] [client 2.2.2.2:51380] [7182] virus daemon connection problem found in request /support/
2017:01:11-21:28:26 gateway reverseproxy: [Wed Jan 11 21:28:26.777137 2017] [avscan:notice] [pid 7182:tid 3963358064] [client 2.2.2.2:51380] mod_avscan_input_filter: virus found
2017:01:11-21:28:26 gateway reverseproxy: [Wed Jan 11 21:28:26.777197 2017] [proxy_http:error] [pid 7182:tid 3963358064] (13)Permission denied: [client 2.2.2.2:51380] AH01095: prefetch request body failed to 10.10.10.10:443 (10.10.10.10) from 2.2.2.2 ()

...

I'm not sure if the last update caused this or not but it used to work. I rebooted the Sophos box but that did not help.

What does the log indicate and what should I check next?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

     

    it seems that the virus scanner is not responding. It might help if you switch the engine from Sophos to Avira under Management > System Settings > Scan Settings.

    You can also have a look into /var/log/fallback.log if there are any error messages regarding AV (internally called cssd).

     

    Best,

     Sabine

  • 0 in reply to Evianne

    I already tried switching from Sophos to Avira. Got the same results.

     

    Here is what I see in the fallback.log:

    ...

    2017:01:11-21:28:26 gateway reverseproxy: id="0299" srcip="2.2.2.2" localip="100.100.100.100" size="341" user="-" host="2.2.2.2" method="GET" statuscode="400" reason="av" extra="virus daemon connection problem found" exceptions="-" time="28134" url="/support/" server="www.mysite.com" referer="-" cookie="SWIFT_visitorsession=%7B%22isbanned%22%3A%220%22%7D; SWIFT_sessionid40=SgsmoG8lIGbG5t8wTLPj2i2F1Z3c7692f11d22cbfe684ef53d0feedee037f45012pR8csEmKxUbU; SWIFT_sessionid80=uo5PDLHlba0e20609abddef80bb02e95a0eab5380dcc9f7e921cgdwVyFiGwB5FbrxlF5rOWF; sid_customer_cdaf9=00f8b078905127eb710e5221306d42cd-1-C; SWIFT_client=%7B%22templategroupid%22%3A%221%22%7D; SWIFT_visitor=%7B%225%22%3A%22US%22%2C%2212%22%3A%22United+States%22%2C%226%22%3A%22Virginia%22%2C%221%22%3A%22Woodbridge%22%2C%227%22%3A%2222191%22%2C%228%22%3A%2238.6257%22%2C%229%22%3A%22-77.2665%22%2C%2210%22%3A%22511%22%2C%2211%22%3A%22703%22%2C%2213%22%3A%22%22%2C%22geoip%22%3A1%2C%22notecheck%22%3A%221%22%2C%22sessionid%22%3A%22uo5PDLHlba0e20609abddef80bb02e95a0eab5380dcc9f7e921cgdwV
    2017:01:11-21:28:26 gateway reverseproxy: yFiGwB5FbrxlF5rOWF%22%2C%22lastvisit%22%3A1484185848%7D" set-cookie="-"

    ...

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Reply
  • 0 in reply to Evianne

    I already tried switching from Sophos to Avira. Got the same results.

     

    Here is what I see in the fallback.log:

    ...

    2017:01:11-21:28:26 gateway reverseproxy: id="0299" srcip="2.2.2.2" localip="100.100.100.100" size="341" user="-" host="2.2.2.2" method="GET" statuscode="400" reason="av" extra="virus daemon connection problem found" exceptions="-" time="28134" url="/support/" server="www.mysite.com" referer="-" cookie="SWIFT_visitorsession=%7B%22isbanned%22%3A%220%22%7D; SWIFT_sessionid40=SgsmoG8lIGbG5t8wTLPj2i2F1Z3c7692f11d22cbfe684ef53d0feedee037f45012pR8csEmKxUbU; SWIFT_sessionid80=uo5PDLHlba0e20609abddef80bb02e95a0eab5380dcc9f7e921cgdwVyFiGwB5FbrxlF5rOWF; sid_customer_cdaf9=00f8b078905127eb710e5221306d42cd-1-C; SWIFT_client=%7B%22templategroupid%22%3A%221%22%7D; SWIFT_visitor=%7B%225%22%3A%22US%22%2C%2212%22%3A%22United+States%22%2C%226%22%3A%22Virginia%22%2C%221%22%3A%22Woodbridge%22%2C%227%22%3A%2222191%22%2C%228%22%3A%2238.6257%22%2C%229%22%3A%22-77.2665%22%2C%2210%22%3A%22511%22%2C%2211%22%3A%22703%22%2C%2213%22%3A%22%22%2C%22geoip%22%3A1%2C%22notecheck%22%3A%221%22%2C%22sessionid%22%3A%22uo5PDLHlba0e20609abddef80bb02e95a0eab5380dcc9f7e921cgdwV
    2017:01:11-21:28:26 gateway reverseproxy: yFiGwB5FbrxlF5rOWF%22%2C%22lastvisit%22%3A1484185848%7D" set-cookie="-"

    ...

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Children
  • 0 in reply to Jeff x

    That's the reverseproxy.log. ;-)

  • 0 in reply to Evianne

    Evianne said:

    That's the reverseproxy.log. ;-) 

    I'm not sure how that happened since  'fallback.log' and 'reverseproxy.log' are not even close enough to one another in the file list for me to select the wrong one. Strange...

    Currently, I do not see any errors in the 'fallback.log'. I switched to Avira, again, and rebooted the box but that made no difference. I switched back to Sophos and that made no difference. I rebooted the box a second time and now it's working.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Unfiltered HTML