Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1706
Views
0
Helpful
3
Replies

'0x0' body.scan

davidbart8
Level 1
Level 1

‎01-25-2014 02:03 AM

Hello guys,

I have received a warning for unscannable due to antivirus timeout , when I searched within the logs I found this :

'0x0' body.scan

I tried to increase the timeout but  I still receive this warning frequently , this is happening mostly for xls attachment any idea ???

Labels:
0 Helpful
3 Replies 3

srussell
Level 1
Level 1

‎01-25-2014 05:21 AM

Hi David,

Can you post the version of AsyncOS your appliance is running?

What are you seeing in the mail logs?  From the CLI if you run:

ESA> grep "unscannable" mail_logs

Steve Russell

RTP - Content Security

0 Helpful

davidbart8
Level 1
Level 1
In response to srussell

‎01-25-2014 05:51 AM

Hi Steven

I am running on 7.6.2-014 , I can find this in mail_logs

This message was treated as unscannable because scanning exceeded the configured Anti-Virus

timeout period (120).

Message ######## scanned by Anti-Virus engine Sophos. Interim verdict: UNSCANNABLE

Message ######## is unscannable by Anti-Virus engine. '0x' body.scan

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to davidbart8

‎01-27-2014 08:06 PM

David -

If you can, please provide the complete message tracking, or mail_logs snippet for this, or other failed XLS attached messages. 

Also - with the messages you are seeing this occurring on...

+ Are they usually from the same sender? 

+ What is the complete message size?

+ What version of AsyncOS is your appliance running?

+ Have you verified the lastest engine/ruleset is in play on the appliance(s)?  Run 'avstatus' - or, run a 'force update to assure the lastest is running ---> 'antivirusupdate force'

It is possible that the files may be have either malformed MIME parts or deeply nested MIME - which may be treated as unreadable by the Sophos engine --- in which case, we would need to get the file itself submitted direct to Sophos for review and possibly updating the engine associated with our OS.

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents