09-18-2019 12:11 AM
Hi @All,
sometime I get a warning from SophosAV.
Log: This message was treated as unscannable because scanning exceeded the configured Sophos Anti-Virus file size or number of files.
Where is the config item for AV fîle size and number of files?
On GUI at the SophosAV Global Settings you can only configure the Virus Scanning Timeout but no file size or number of files.
AsyncOS 12.5
Thanks for hints.
Grz Stefan
Solved! Go to Solution.
09-18-2019 02:44 AM
Thanks for the output.
The occurrence is related to a bug CSCup86350, that bug is fixed in the latest versions but a small tweak is needed in the following value. To be more precise to ‘tune’ Sophos engine maximum subfiles to scan. :
******
Output snipped
******
Enter the maximum subfiles to scan (recommended 3500):
[3500]> 5000
Post that commit changes and observe the traffic flows for a while. If the issue doesn't resolve after this, please revert the changes to default 3500 and submit a case to TAC for analysis further.
Best Regards,
09-18-2019 12:57 AM
Hey,
Can you confirm if you are getting these in the mail logs for the occurrence you have mentioned :
Message xxxx scanned by Anti-Virus engine Sophos. Interim verdict: UNSCANNABLE
Message xxxx is unscannable by Anti-Virus engine. '0x' body.scan
You can check the same from ESA's Command Line Interface.
Best Regards,
09-18-2019 01:09 AM
From mail_log:
Wed Sep 18 08:37:54 2019 Warning: MID 34802465 message scanning problem using engine Sophos. This message was treated as unscannable because scanning the message exceeded the configured file size or number of files.
Wed Sep 18 08:37:54 2019 Info: MID 34802465 interim AV verdict using Sophos UNSCANNABLE
Wed Sep 18 08:37:54 2019 Info: MID 34802465 antivirus unscannable '0x' body.scan
Rgds
Stefan
09-18-2019 01:30 AM
Thanks for the details Stephen.
Please share me the output of the below commands from the CLI :
antivirusconfig --> Sophos --> tune (hidden command) --> Keep pressing Enter and and you will see as below. Please copy and paste outputs from your ESA.
Example Output :
Sophos Anti-Virus: Enabled
Choose the operation you want to perform:
- SETUP - Configure Sophos Anti-Virus.
[]> tune
Number of low-level scanning objects within the Anti-virus server (usually
five):
[5]>
Choose an Anti-Virus server scanning policy:
1. Default
2. Fast - Early exit on virus and unscannable errors
3. Aggressive - Prevent repair actions in server
[1]> 1
Enter the maximum depth of attachment recursion to scan (usually 100):
[100]>
Enter the maximum subfiles to scan (recommended 3500):
[3500]>
Sophos Anti-Virus: Enabled
Best Regards,
09-18-2019 01:49 AM
Hi,
if I try antivirusconfig sophos tune I get this...
(Cluster RCH Test)> antivirusconfig sophos tune
Invalid arguments when processing antivirusconfig:
antivirusconfig sophos tune must have at least 1 argument.
09-18-2019 01:54 AM
Hello Stephan,
You are mistaken, the commands need to be entered in sequence.
lab.esa.com> antivirusconfig
Choose the operation you want to perform:
- SOPHOS - Configure Sophos Anti-Virus.
- MCAFEE - Configure McAfee Anti-Virus.
[]> SOPHOS
Sophos Anti-Virus: Enabled
Choose the operation you want to perform:
- SETUP - Configure Sophos Anti-Virus.
[]> tune
09-18-2019 02:21 AM
OK Sorry.
I've tried and got:
(Cluster RCH Test)> antivirusconfig
Sophos Anti-Virus: Enabled
Choose the operation you want to perform:
- SETUP - Configure Sophos Anti-Virus.
- CLUSTERSET - Set how Sophos Anti-Virus is configured in a cluster.
- CLUSTERSHOW - Display how Sophos Anti-Virus is configured in a cluster.
[]> tune
Anti-Virus server performance tuning:
1. Default - moderate settings
2. Fast - favor system throughput - no timeout handling, aggressive scanning
3. Custom
[1]>
Number of low-level scanning objects within the Anti-virus server (usually five):
[5]>
Choose an Anti-Virus server scanning policy:
1. Default
2. Fast - Early exit on virus and unscannable errors
3. Aggressive - Prevent repair actions in server
[1]>
Enter the maximum depth of attachment recursion to scan (usually 100):
[100]>
Enter the maximum subfiles to scan (recommended 3500):
[3500]>
It looks like you described before.
Should I set the "Number of low-level scanning objects within the Anti-virus server" to a higher value?
Rgds
Stefan
09-18-2019 02:44 AM
Thanks for the output.
The occurrence is related to a bug CSCup86350, that bug is fixed in the latest versions but a small tweak is needed in the following value. To be more precise to ‘tune’ Sophos engine maximum subfiles to scan. :
******
Output snipped
******
Enter the maximum subfiles to scan (recommended 3500):
[3500]> 5000
Post that commit changes and observe the traffic flows for a while. If the issue doesn't resolve after this, please revert the changes to default 3500 and submit a case to TAC for analysis further.
Best Regards,
09-18-2019 04:03 AM
Hi,
Thanks a lot for help.
I'll set this value and monitoring the load and behavior on the appliance.
Regards
Stefan
09-18-2019 05:05 AM
It's always a pleasure to help Stefan. Have a great day :)
Best Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide