Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 12757 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proxy broken with latest malware AV pattern update - lost all web access

Michael Allen

Im currently running SFOS 16.05.0 RC-1 XG Firewall.

I've noticed that the latest sophos AV pattern (1.0.10487 -14:19:14, Feb 06 2017) completely broke the proxy and web access.  As soon as AV pattern was updated -  whenever i tried to browse to a webpage, I got a 500 error from the proxy.  This seem to affect both Chrome and Safari on both Mac, iOS and android devices. (Didn't test on linux or windows)

Either disabling Malware scanning from the FW rule and/or changing AV engines away from sophos AV engine fixed the issue.

 

Has anyone else had the same problem?   Is this a known issue and fix to be released?



This thread was automatically locked due to age.
  • 0

    I've also tried updating XG firmware to the latest version - SFOS 16.05.1 MR-1.

    However the problem still exists.  If I try to manually update pattern, the sophos AV pattern is now stuck in a "Failed" state.

    Avira seems to be working fine.

  • 0 in reply to Michael Allen

    Michael,

    did you find something interesting inside the u2.log from /var/tslog from the advanced shell?

    Thanks

  • 0 in reply to lferrara

    Thanks for your help...

    I had a quick look.   When I tail the log and click to manually update the patterns, I do see the following...

    It seems to fail to install the latest pattern.  Any ideas?

     

    Wed Feb 08 08:44:31 2017 Starting download for file avira_1.00_1.0.18085_fdiff20.tar.gz.gpg

    Wed Feb 08 08:44:32 2017 Starting download for file savi_1.00_1.0.10494_fdiff20.tar.gz.gpg

    Wed Feb 08 08:45:31 2017 Download completed for file avira_1.00_1.0.18085_fdiff20.tar.gz.gpg

    gpg: Signature made Wed Feb  8 08:01:46 2017 EST using RSA key ID 6A20EB0B

    gpg: NOTE: trustdb not writable

    gpg: Good signature from "Sophos Up2Date Server <updates@sophos.com>"

    Wed Feb 08 08:45:33 2017 Download for file avira_1.00_1.0.18085_fdiff20.tar.gz.gpg passed integrity and gpg checks

    Wed Feb 08 08:45:33 2017 Either FILE or MSID received in U2DVERSION is blank, avira_18065-18085.tar.gz,

    Wed Feb 08 08:45:33 2017 Current avira patterns are at /content/avira_1.00/1.0.18083

    Wed Feb 08 08:45:33 2017 New updated  patterns are now at /content/avira_1.00/1.0.18085

    Wed Feb 08 08:46:25 2017 Updated signature db for avira, version = 1.0.18085.

    Wed Feb 08 08:46:25 2017 Deleted pattern for module avira, version = 1.0.18083 at /content/avira_1.00/1.0.18083.

    Wed Feb 08 08:46:25 2017 Download completed for file savi_1.00_1.0.10494_fdiff20.tar.gz.gpg

    gpg: Signature made Wed Feb  8 03:16:22 2017 EST using RSA key ID 6A20EB0B

    gpg: NOTE: trustdb not writable

    gpg: Good signature from "Sophos Up2Date Server <updates@sophos.com>"

    Wed Feb 08 08:46:26 2017 Download for file savi_1.00_1.0.10494_fdiff20.tar.gz.gpg passed integrity and gpg checks

    Wed Feb 08 08:46:27 2017 Either FILE or MSID received in U2DVERSION is blank, savi_10474-10494.tar.gz,

    Wed Feb 08 08:46:27 2017 Current savi patterns are at /content/savi_1.00/1.0.10487

    Wed Feb 08 08:46:27 2017 New updated  patterns are now at /content/savi_1.00/1.0.10494

    Wed Feb 08 08:46:30 2017 Callback u2d_pt_installed failed for savi, version = 1.0.10494.

    Wed Feb 08 08:46:30 2017 Setting status 'fail' in DB and reverting link for savi to old version = 1.0.10487.

    Wed Feb 08 08:46:30 2017 savi patterns are again at /content/savi_1.00/1.0.10487

  • 0 in reply to Michael Allen

    Michael,

    Thanks for the log. Try to move the content folder to a new name as suggested in this thread and let us know.

    Regards

  • 0 in reply to lferrara

    Sorry I didn't get back to you earlier.

    I didn't have success in your suggestion.  I did try and move the content folder to a new name - however that just made things worse.

    I didn't seem to solve the issue, worst still - when I tried to reboot, it would now only boot into failsafe mode.

    I simply didn't have the time to troubleshoot anymore, so I re-imaged and restored from backup.  Luckily I had recent backups.

    Once the FW was re-imaged, the new sophos pattern downloaded and installed correctly - and once again started working.

    Either way, thanks for your help.