Troubleshoot Gateway AntiVirus
If a client on your network becomes infected with a virus, it is important to identify the reason this occurred:
- Gateway AntiVirus does not have a signature to detect this virus
- The infected file was not scanned with Gateway AntiVirus
- The Firebox device did not download the most recent signature set
Test Gateway AntiVirus
You can use the EICAR test tool to confirm that Gateway AntiVirus is enabled for the correct policy and that it can detect viruses. To obtain this tool, see Eicar.org. For information about how to us this, see Use the EICAR Test File to test Gateway AntiVirus in the WatchGuard Knowledge Base.
Gateway AntiVirus uses a signature set to detect infected files. If a virus is not detected, or if a virus is detected in a file that you think does not have a virus, you can report the false negative or false positive and submit the file for analysis.
In some cases, a virus which exists in the database might not be in the signature set used by your Firebox. Some Firebox models use a smaller set which focus on the more common viruses, and may not detect every virus. To learn more, see the article Gateway AntiVirus signature set sizes in the WatchGuard Knowledge Base.
Review Log Messages for Gateway AntiVirus Scans
If your Firebox device is configured to send log data to a Dimension system or WatchGuard Log Server, you can search your log data for the filename to identify whether your Firebox scanned the file, and see the scan results.
By default, your proxy policies log all events where a virus is found or if an error occurs with the scan. To ensure that a proxy policy logs all proxy events, including files with no infection found, select the Enable logging for reports check box in the proxy action.
For more information on how to search log messages in Dimension, see Search Device Log Messages (Dimension).
Example Log Messages
In this log message, the HTTP Proxy scanned a file named eicar.com and detected a virus.
Deny 2-Internal-traffic 4-External-traffic tcp 10.0.1.8 192.168.53.92 57525 80 msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.1" virus="EICAR_Test" host="192.168.53.92" path="/viruses/eicar.com" (HTTP-proxy-00)
Allow 1-Trusted 0-External tcp 10.0.1.2 18.104.22.168 51859 80 msg="ProxyAllow: HTTP AV scanning error" proxy_act="HTTP-Client.3" error="avg scanner is not created" host="api.yontoo.com" path="/LoadJS.ashx" (HTTP-proxy-00)
For more details on subscription services in Firebox System Manager, see Subscription Services Statistics (Subscription Services).
This log message indicates a scan failure. This can occur with .zip or other compressed files that have too many levels of compression, or files that are encrypted, or otherwise cannot be opened.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25 msg="ProxyLock: SMTP Cannot perform Gateway AV scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="[email protected]" error="scan request failed" filename="message.scr" (SMTP-proxy-00)
If Gateway AntiVirus cannot scan a password protected file within a compressed archive file, the scan error in the log message includes the name of the file within the archive. For example, if Gateway AntiVirus could not scan a password-protected file called protected.xlsx in an archive called archive.zip, the scan error in the log message includes the names of both files.
error="Object (protected.xlsx) Encrypted" host="example.net: path-"/archive.zip"
The log message includes the name of the file within the archive in Fireware v12.2 and higher.
Review Email Headers for Gateway AntiVirus
If a user received a virus by email, you can confirm if the file was scanned, and what the result was. Look for a header similar to X-WatchGuard-AntiVirus: scanned 'file.pdf'. clean action=allow to indicate whether a virus was detected.
For instructions on how to preserve the message headers, see When I submit messages to technical support for analysis, how do I preserve the original message header? in the WatchGuard Knowledge Base.