Troubleshoot Gateway AntiVirus
If a client on your network becomes infected with a virus, it is important to identify the reason this occurred:
- Gateway AntiVirus does not have a signature to detect this virus
- The infected file was not scanned with Gateway AntiVirus
- The Firebox device did not download the most recent signature set
Test Gateway Antivirus
You can use the EICAR test tool to confirm that Gateway AV is enabled for the correct policy and that it can detect viruses. To obtain this tool, see Eicar.org.
Gateway AntiVirus uses a signature set from AVG to detect infected files. To confirm that AVG is aware of the virus, go to the AVG website to upload the infected file. The site will return a list of virus scanners and scan results for each for this file.
If the virus is not detected, you can upload the file to AVG to improve future detection. To learn more about virus reporting, see How to report Gateway AntiVirus false positives and false negatives.
In some cases, a virus which exists in the AVG database may not be in the signature set in use by your Firebox device. Some devices use a smaller set which focus on the more common viruses, and may not detect every virus. To learn more, see Gateway AntiVirus signature set sizes.
Review Log Messages for Gateway AntiVirus Scans
If your Firebox device is configured to send log data to a Dimension system or WatchGuard Log Server, you can search your log data for the filename to identify whether your device scanned the file, and view the scan results.
By default, your proxy policies will log all events where a virus is found or if an error occurs with the scan. To ensure that a proxy policy logs all proxy events, including files with no infection found, select the Enable logging for reports check box in the proxy action.
For more information on how to search log messages in Dimension, see Search Device Log Messages.
Example Log Messages
In this log message, the HTTP Proxy scanned a file named eicar.com and detected a virus.
Deny 2-Internal-traffic 4-External-traffic tcp 10.0.1.8 192.168.53.92 57525 80 msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.1" virus="EICAR_Test" host="192.168.53.92" path="/viruses/eicar.com" (HTTP-proxy-00)
The Firebox device will not display a log message when a virus was not detected. However, you can look for a log message that includes the filename, and check if there is also a message with the same source and destination IP address that indicates a virus was detected, or If there is no scan error message or no virus found message.
This log message indicates a failure with the Gateway AntiVirus service on your Firebox device. A common cause of this issue is an outdated or invalid signature set. Review the Subscription Services tab in Firebox System Manager to confirm whether Gateway AV is able to update signatures, and when the last signature update was downloaded.
Allow 1-Trusted 0-External tcp 10.0.1.2 22.214.171.124 51859 80 msg="ProxyAllow: HTTP AV scanning error" proxy_act="HTTP-Client.3" error="avg scanner is not created" host="api.yontoo.com" path="/LoadJS.ashx" (HTTP-proxy-00)
For more details on subscription services in Firebox System Manager, see Subscription Services Statistics (Subscription Services).
This log message indicates a scan failure. This can occur with .zip or other compressed files that have too many levels of compression, or files that are encrypted, or otherwise cannot be opened.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25 msg="ProxyLock: SMTP Cannot perform Gateway AV scan" proxy_act="SMTP-Outgoing.1" sender="email@example.com" recipients="wg@localhost" error="scan request failed" filename="message.scr" (SMTP-proxy-00)
Review Email Headers for Gateway AntiVirus
If a user received a virus by email, you can confirm if the file was scanned, and what the result was. Look for a header similar to X-WatchGuard-AntiVirus: scanned 'file.pdf'. clean action=allow to indicate whether a virus was detected.
For instructions on how to preserve the message headers, see When I submit messages to technical support for analysis, how do I preserve the original message header?