This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antivirus blocking all ReverseProxy/WAF requests

Over the last several weeks, we have been discovering that our websites go down for a period of 30-60 seconds a couple of times a day - with a HTTP response code of 400 during the outage.

Looking into the reverseproxy.log file about these outages, we discover that EVERY request for 30-60 seconds is (erroneously) flagged by the avscan engine as containing a virus. Example snippet, deidentified:

2017:01:13-09:32:52 asg-2 reverseproxy: [Fri Jan 13 09:32:52.839143 2017] [avscan:error] [pid 20852:tid 3910048624] [client x.x.x.x:31754] [20852] virus daemon error found in request blah-blah/blah.php, referer: http://blah.blah/blah
2017:01:13-09:32:52 asg-2 reverseproxy: [Fri Jan 13 09:32:52.953336 2017] [avscan:notice] [pid 20852:tid 3910048624] [client x.x.x.x:31754] mod_avscan_input_filter: virus found, referer: http://blah.blah/blah
2017:01:13-09:32:52 asg-2 reverseproxy: [Fri Jan 13 09:32:52.954189 2017] [proxy_http:error] [pid 20852:tid 3910048624] (13)Permission denied: [client x.x.x.x:31754] AH01095: prefetch request body failed to y.y.y.y:80 (y.y.y.y) from 204.63.207.1 (), referer: http://blah.blah/blah

We first started noticing this behavior in about middle of December 2016. We have since upgraded the firmware to most recent 9.409-9 and still noticing the issue.

I am worried that the AVScan patterns are operating incorrectly - that's the only thing I can imagine at this point to be the issue.

Does anyone have any input or advice?

Cheers!



This thread was automatically locked due to age.
Parents
  • Hi Sam,

    Which is the AV engine selected? Make sure it is set to AVIRA.

    Any help?

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Thank you for responding.  Currently the system is on "Sophos", which I believe is the default.  What is the reason why AVIRA needs to be set instead of "Sophos"?

    Cheers

  • Switching AV scan engines shouldn't cause any disruption.  I configure all of my clients to use Avira as the single-scan as many of them have the Sophos Endpoint Antivirus.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • OK, I am glad we are having this discussion, because it brings up an important clarification that I've thought about before and now needs answered:

    Does the Virus scanning engine defined in the "Management -> System Settings -> Scan Settings" tab refer to A) the Endpoint Antivirus feature scan engine on client computers or does it refer to B) the Web Application Firewall/Reverse Proxy HTTP/S request in-line virus scanner engine?

    Those are two entirely different use cases, and two entirely difference services.  I just want to make sure we're all looking at the same feature, here.  Again, I'm not interested in Enterprise anything or Endpoint anything, we're talking about PCI/HIPAA compliant web servers here.

    Cheers

  • I have learned that changing the Single Scan Engine does not restart the reverse proxy service - this is good news for us.

    I will monitor over the next 48 hours to see if this has had an effect upon or has fixed our issue.

    Cheers

Reply Children
No Data