cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
590
Views
0
Helpful
4
Replies
kostasthedelegate
Enthusiast

ARCHIVESCAN_UNSCANABLE,"UnScanable Concurrent Requests Exceeded-Allowed

Hello,

 

I tried to download this file https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz  and it was blocked with the below message

 

1626075135.000 59953 <ipaddress> TCP_DENIED_SSL/403 0 GET https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz - DIRECT/downloads.solarwinds.com application/x-gzip BLOCK_AMP_RESP_12-<Policy>-<Prodile>-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",5.0,1,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",2,"-",-,-,"-","-",-,2,"-",-,-> - - x-amp-verdic 2, x-amp-malware-name -, x-amp-upload -,x-amp-filename -, x-amp-sha –

 

In the second try the file was successfully downloaded, below is the log

 

1626075221.631 3770 10.1.1.119 TCP_MISS_SSL/200 14810991 GET https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz - DIRECT/downloads.solarwinds.com application/x-gzip DEFAULT_CASE_12-<Policy>-<Profile>-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",5.0,1,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",31429.16,0,-,"Unknown","-",0,"-",0,0,"SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz","428aa2d1923bcadc751b366dbddbbdd5257aa8e5e97c88a2cce62e749e9d4182",4,ARCHIVESCAN_UNSCANABLE,"UnScanable Concurrent Requests Exceeded-Allowed",-,-> - - x-amp-verdic 0, x-amp-malware-name -, x-amp-upload 0,x-amp-filename SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz, x-amp-sha 428aa2d1923bcadc751b366dbddbbdd5257aa8e5e97c88a2cce62e749e9d4182

 

I would like to know what ARCHIVESCAN_UNSCANABLE,"UnScanable Concurrent Requests Exceeded-Allowed  means because I was not able to locate any relevant documentation.

 

Is it normal behavior?

 

Thanks and regards 

Konstantinos

4 REPLIES 4
kostasthedelegate
Enthusiast

Any hint??

Octavian Szolga
Participant

Hi,

 

Can you please check for amp_logs or archiveinspect_logs?

 

BR,

Octavian

kostasthedelegate
Enthusiast

Hello 

 

This is the first attempt 

1626075135.000 59953 10.1.1.119 TCP_DENIED_SSL/403 0 GET https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz - DIRECT/downloads.solarwinds.com application/x-gzip BLOCK_AMP_RESP_12-<Policy>-<Profile>-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",5.0,1,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",2,"-",-,-,"-","-",-,2,"-",-,-> - - x-amp-verdic 2, x-amp-malware-name -, x-amp-upload -,x-amp-filename -, x-amp-sha –

 

In the second attempt we get that 

 

1626075221.631 3770 10.1.1.119 TCP_MISS_SSL/200 14810991 GET https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz - DIRECT/downloads.solarwinds.com application/x-gzip DEFAULT_CASE_12-<Policy>-<Profile>-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",5.0,1,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",31429.16,0,-,"Unknown","-",0,"-",0,0,"SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz","428aa2d1923bcadc751b366dbddbbdd5257aa8e5e97c88a2cce62e749e9d4182",4,ARCHIVESCAN_UNSCANABLE,"UnScanable Concurrent Requests Exceeded-Allowed",-,-> - - x-amp-verdic 0, x-amp-malware-name -, x-amp-upload 0,x-amp-filename SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz, x-amp-sha 428aa2d1923bcadc751b366dbddbbdd5257aa8e5e97c88a2cce62e749e9d4182

 

Is that helpfull

Hi,

 

You pasted the same accesslogs from your first post and didn't checked for amp and archiveinspect logs...

Still, based on accesslogs, I don't know for sure why the 1st request was denied but the 2nd one was successful. I can just make assumptions that it's either a wanted behaviour (like the max. number of AMP scans in flight has been reached and the file is allowed) or a bug.

 

In the 1st request you can clearly see that AMP was the one blocking the file transfer.

 

1626075135.000 59953 10.1.1.119 TCP_DENIED_SSL/403 0 GET https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz - DIRECT/downloads.solarwinds.com application/x-gzip BLOCK_AMP_RESP_12-<Policy>-<Profile>-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",5.0,1,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",2,"-",-,-,"-","-",-,2,"-",-,-> - - x-amp-verdic 2, x-amp-malware-name -, x-amp-upload -,x-amp-filename -, x-amp-sha –

 

BLOCK_AMP_RESP

The Web Proxy blocked the response based on the Advanced Malware Protection settings for the Access Policy group.

 

x-amp-verdict

Verdict from Advanced Malware Protection file scanning:

  • 0: File is not malicious.
  • 1: File was not scanned because of its file type.
  • 2: File scan timed out.
  • 3: Scan error.
  • Greater than 3: File is malicious.

 

The 2nd request seems to be just fine:

 

1626075221.631 3770 10.1.1.119 TCP_MISS_SSL/200 14810991 GET https://downloads.solarwinds.com:443/solarwinds/Release/SU/15.2.3/SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz - DIRECT/downloads.solarwinds.com application/x-gzip DEFAULT_CASE_12-<Policy>-<Profile>-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",5.0,1,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",31429.16,0,-,"Unknown","-",0,"-",0,0,"SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz","428aa2d1923bcadc751b366dbddbbdd5257aa8e5e97c88a2cce62e749e9d4182",4,ARCHIVESCAN_UNSCANABLE,"UnScanable Concurrent Requests Exceeded-Allowed",-,-> - - x-amp-verdic 0, x-amp-malware-name -, x-amp-upload 0,x-amp-filename SU-MFT-Server-Linux-64bit-v15.2.3.tar.gz, x-amp-sha 428aa2d1923bcadc751b366dbddbbdd5257aa8e5e97c88a2cce62e749e9d4182

 

DEFAULT_CASE

The Web Proxy allowed the client to access the server because none of the AsyncOS services, such as Web Reputation or anti-malware scanning, took any action on the transaction.

 

 

Verdict from the AMP reputation server for the file:

  • 1 – Unknown

  • 2 – Clean

  • 3 – Malicious

  • 4 – Unscannable

 

ARCHIVESCAN_UNSCANABLE – The archive is blocked because it contain a file which cannot be scanned. The Verdict Detail is “UnScanable Archive-Blocked.”

 

x-amp-verdict

Verdict from Advanced Malware Protection file scanning:

  • 0: File is not malicious.
  • 1: File was not scanned because of its file type.
  • 2: File scan timed out.
  • 3: Scan error.
  • Greater than 3: File is malicious.

 

x-amp-upload

Indicator of upload and analysis request:

“0” indicates that Advanced Malware Protection did not request upload of the file for analysis.

“1” indicates that Advanced Malware Protection did request upload of the file for analysis.

 

 

 

References:

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010111.html#con_1599723

 

BR, 

Octavian