Solutions

The reports that show virus activity are empty.

Solutions ID:    KB4038
Version:    3.0
Status:    Published
Published date:    09/23/2010
Updated:    10/01/2010
 

Problem Description

The "Potential Threats" report shows no viral activity.

The "ProxyAV Mal ware Detected" report shows no viral activity.

The "Potential Malware infected Clients" Report is empty.

Reports are not declaring virus related activity, in Reporter.

Resolution

For Reporter to report on viruses on your network, it needs to have first detected evidence of such in the access logs,  it processes through.  This article suggests two ways you can troubleshoot why you may not be seeing virus activity in your reports.

Checking your access logs:

To check you access log to see if it's registered any virus activity , follow these steps:

  1. Find a access log, and open it in a text editor, such as Notepad for Windows, or VI for LINUX.
    • You may have to unzip the access log first, or renamed it from a *.done file name to a *.zip, and then unzip it.
  2. At the top of each access log, is a header that shows you what each column in the access log stands for.  Find the x-virus-id column. on most access logs, its the last column.
  3. Trace this column down,  and look for a named virus, detected by the proxy-AV. If the column is consistently a dash " - " then your proxy AV is not providing the SG with the viruses it has detected.

Watching a test virus being detected by your SG:

To conduct a live troubleshooting trial or a test virus, on a SG,  follow these steps.

  1. Verify if the raw logs contain the virus-ID, here are the following steps.
  2. Login to the ProxySG web interface.
  3. Click on Statistics
  4. Click on Access Logging
  5. Click start Tail (the button is on the bottom)
  6. Have a user go to a test virus, such as http://www.eicar.org/download/eicar.com, and download the test virus.
  7. View the logs and check for x-virus-id tag - often it's the last, or  the second to last entry in the log line.
CPL policy needed to write to the SG access log:
If you find that the PRoxy SG is not writing out the name of the virus to the access logs, you should check to see if this CPL code is configured.
Here is the CPL code the customer used.
 
<Cache>
    response.icap_service.secure_connection(auto)
 
end
 
define Cache policy avscan
<Cache>
    response.icap_service(proxyav, fail_open)
 
end
 
 
NOTE1: If the (x-virus-id) is a – then the ProxySG is not  writing out to the access log, viruses that it finds, or configured appropriately for a PROXY AV.  This article can help you verify if the your two appliances- Proxy AV and the Proxy SG - are  setup properly - PROXY AV
 
NOTE2:  For information on the proper access log fields, needed for Bluecoat Reporter, see FAQ282

NOTE3: For more information on how Viruses are detected, and reported in the access log, see KB3967

 

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question