Over the last several weeks, we have been discovering that our websites go down for a period of 30-60 seconds a couple of times a day - with a HTTP response code of 400 during the outage.
Looking into the reverseproxy.log file about these outages, we discover that EVERY request for 30-60 seconds is (erroneously) flagged by the avscan engine as containing a virus. Example snippet, deidentified:
2017:01:13-09:32:52 asg-2 reverseproxy: [Fri Jan 13 09:32:52.839143 2017] [avscan:error] [pid 20852:tid 3910048624] [client x.x.x.x:31754] [20852] virus daemon error found in request blah-blah/blah.php, referer: http://blah.blah/blah
2017:01:13-09:32:52 asg-2 reverseproxy: [Fri Jan 13 09:32:52.953336 2017] [avscan:notice] [pid 20852:tid 3910048624] [client x.x.x.x:31754] mod_avscan_input_filter: virus found, referer: http://blah.blah/blah
2017:01:13-09:32:52 asg-2 reverseproxy: [Fri Jan 13 09:32:52.954189 2017] [proxy_http:error] [pid 20852:tid 3910048624] (13)Permission denied: [client x.x.x.x:31754] AH01095: prefetch request body failed to y.y.y.y:80 (y.y.y.y) from 204.63.207.1 (), referer: http://blah.blah/blah
We first started noticing this behavior in about middle of December 2016. We have since upgraded the firmware to most recent 9.409-9 and still noticing the issue.
I am worried that the AVScan patterns are operating incorrectly - that's the only thing I can imagine at this point to be the issue.
Does anyone have any input or advice?
Cheers!
This thread was automatically locked due to age.
