Solved: Re: How to configure AV file size and/or number of files?

Steflstefan · ‎09-18-2019

sometime I get a warning from SophosAV.
Log: This message was treated as unscannable because scanning exceeded the configured Sophos Anti-Virus file size or number of files.

Where is the config item for AV fîle size and number of files?
On GUI at the SophosAV Global Settings you can only configure the Virus Scanning Timeout but no file size or number of files.

AsyncOS 12.5

Thanks for hints.
Grz Stefan

pchakra2 · ‎09-18-2019

Thanks for the output.

The occurrence is related to a bug CSCup86350, that bug is fixed in the latest versions but a small tweak is needed in the following value. To be more precise to ‘tune’ Sophos engine maximum subfiles to scan. :

******

Output snipped

******

Enter the maximum subfiles to scan (recommended 3500):
[3500]> 5000

Post that commit changes and observe the traffic flows for a while. If the issue doesn't resolve after this, please revert the changes to default 3500 and submit a case to TAC for analysis further.

Best Regards,

View solution in original post

pchakra2 · ‎09-18-2019

Hey,

Can you confirm if you are getting these in the mail logs for the occurrence you have mentioned :

Message xxxx scanned by Anti-Virus engine Sophos. Interim verdict: UNSCANNABLE

Message xxxx is unscannable by Anti-Virus engine. '0x' body.scan

You can check the same from ESA's Command Line Interface.

Best Regards,

Steflstefan · ‎09-18-2019

From mail_log:

Wed Sep 18 08:37:54 2019 Warning: MID 34802465 message scanning problem using engine Sophos. This message was treated as unscannable because scanning the message exceeded the configured file size or number of files.
Wed Sep 18 08:37:54 2019 Info: MID 34802465 interim AV verdict using Sophos UNSCANNABLE
Wed Sep 18 08:37:54 2019 Info: MID 34802465 antivirus unscannable '0x' body.scan

Rgds
Stefan

pchakra2 · ‎09-18-2019

Thanks for the details Stephen.

Please share me the output of the below commands from the CLI :

antivirusconfig --> Sophos --> tune (hidden command) --> Keep pressing Enter and and you will see as below. Please copy and paste outputs from your ESA.

Example Output :

Sophos Anti-Virus: Enabled

Choose the operation you want to perform:

- SETUP - Configure Sophos Anti-Virus.

[]> tune

Number of low-level scanning objects within the Anti-virus server (usually

five):

[5]>

Choose an Anti-Virus server scanning policy:

1. Default

2. Fast - Early exit on virus and unscannable errors

3. Aggressive - Prevent repair actions in server

[1]> 1

Enter the maximum depth of attachment recursion to scan (usually 100):

[100]>

Enter the maximum subfiles to scan (recommended 3500):

[3500]>

Sophos Anti-Virus: Enabled

Best Regards,

Steflstefan · ‎09-18-2019

Hi,

if I try antivirusconfig sophos tune I get this...

(Cluster RCH Test)> antivirusconfig sophos tune

Invalid arguments when processing antivirusconfig:
antivirusconfig sophos tune must have at least 1 argument.

pchakra2 · ‎09-18-2019

Hello Stephan,

You are mistaken, the commands need to be entered in sequence.

lab.esa.com> antivirusconfig

Choose the operation you want to perform:
- SOPHOS - Configure Sophos Anti-Virus.
- MCAFEE - Configure McAfee Anti-Virus.
[]> SOPHOS

Sophos Anti-Virus: Enabled

Choose the operation you want to perform:
- SETUP - Configure Sophos Anti-Virus.
[]> tune

Steflstefan · ‎09-18-2019

OK Sorry.
I've tried and got:

(Cluster RCH Test)> antivirusconfig

Sophos Anti-Virus: Enabled

Choose the operation you want to perform:
- SETUP - Configure Sophos Anti-Virus.
- CLUSTERSET - Set how Sophos Anti-Virus is configured in a cluster.
- CLUSTERSHOW - Display how Sophos Anti-Virus is configured in a cluster.
[]> tune

Anti-Virus server performance tuning:
1. Default - moderate settings
2. Fast - favor system throughput - no timeout handling, aggressive scanning
3. Custom
[1]>

Number of low-level scanning objects within the Anti-virus server (usually five):
[5]>

Choose an Anti-Virus server scanning policy:
1. Default
2. Fast - Early exit on virus and unscannable errors
3. Aggressive - Prevent repair actions in server
[1]>

Enter the maximum depth of attachment recursion to scan (usually 100):
[100]>

Enter the maximum subfiles to scan (recommended 3500):
[3500]>

It looks like you described before.
Should I set the "Number of low-level scanning objects within the Anti-virus server" to a higher value?

Rgds
Stefan

pchakra2 · ‎09-18-2019

Thanks for the output.

The occurrence is related to a bug CSCup86350, that bug is fixed in the latest versions but a small tweak is needed in the following value. To be more precise to ‘tune’ Sophos engine maximum subfiles to scan. :

******

Output snipped

******

Enter the maximum subfiles to scan (recommended 3500):
[3500]> 5000

Post that commit changes and observe the traffic flows for a while. If the issue doesn't resolve after this, please revert the changes to default 3500 and submit a case to TAC for analysis further.

Best Regards,

Steflstefan · ‎09-18-2019

Hi,

Thanks a lot for help.

I'll set this value and monitoring the load and behavior on the appliance.

Regards

Stefan

pchakra2 · ‎09-18-2019

It's always a pleasure to help Stefan. Have a great day :)

Best Regards,