This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help analyzing WAF / reverse proxy log

jkm005 over 5 years ago

One user is generating Antivirus Daemon Error's in our Web Protection Log. About 30.000 a day.

Same rule is used for OWA - errors seems to come only from ActiveSync client.

I would like to understand what causes these Daemon Errors- Guess I need to be pointed in the right log direction :)

Thank you.

This thread was automatically locked due to age.

Parents

0 lferrara over 5 years ago

tail –f /log/reverseproxy.log

Did you try this command from advanced shell?
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 5 years ago in reply to lferrara

Thanks!

It doesn't give me much more understanding, but this is what I see:

[avscan:error] [pid 24125:tid 120565068830464] [25125]nvirus daemon error found in request /Microsoft-Server-ActiveSync method="POST" statuscode="403" reason="Antivirus" extra="daemon error"
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jkm005 over 5 years ago in reply to lferrara

Thanks!

It doesn't give me much more understanding, but this is what I see:

[avscan:error] [pid 24125:tid 120565068830464] [25125]nvirus daemon error found in request /Microsoft-Server-ActiveSync method="POST" statuscode="403" reason="Antivirus" extra="daemon error"
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 lferrara over 5 years ago in reply to jkm005

Reason is the antivirus. Try to uncheck antivirus scanning. Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 5 years ago in reply to lferrara

Thanks again :)

So I made an exception to path /Microsoft-Server-ActiveSync? comming for this source IP, skip antivirus. Still we get this:

/Microsoft-Server-ActiveSync

Antivirus

daemon err
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 5 years ago in reply to jkm005

Uhm...Is the antivirus correctly updated? Check the Patterns under Backup & Firmware.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 5 years ago in reply to lferrara

Yes I think it is:

Sophos AV

1.0.14760

-

19:05:51, Oct 25 2019

Success
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 5 years ago in reply to jkm005

Avira?
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 5 years ago in reply to lferrara

Yes also updated. I did try to switch to that at some point, but it made no difference. I will try to reboot the XG later today (not that I think that will do much, but better try :))
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 5 years ago in reply to jkm005

Ok. Please let us know.
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 5 years ago in reply to lferrara

The reboot actually may have helped :)

Not one reason="Antivirus" for any clients in 1½ hour. Even deleted the exception.

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 5 years ago in reply to lferrara

Well that lasted for aprox 72 hours.

Now this is starting again for same client + 2 others :/
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 5 years ago in reply to lferrara

Actually what we see is that all these Daemon Errors are coming from Huawei devices. Is there something going on with Huawei native mail client perhaps?
Cancel
Vote Up 0 Vote Down

Cancel