The reports that show virus activity are empty.

Solution

Overview

The "Potential Threats" report shows no viral activity.

The "ProxyAV Mal ware Detected" report shows no viral activity.

The "Potential Malware infected Clients" Report is empty.

Reports are not declaring virus related activity, in Reporter.

Cause
Resolution

For Reporter to report on viruses on your network, it needs to have first detected evidence of such in the access logs,  it processes through.  This article suggests two ways you can troubleshoot why you may not be seeing virus activity in your reports.

Checking your access logs:

To check you access log to see if it's registered any virus activity , follow these steps:

  1. Find a access log, and open it in a text editor, such as Notepad for Windows, or VI for LINUX.
    • You may have to unzip the access log first, or renamed it from a *.done file name to a *.zip, and then unzip it.
  2. At the top of each access log, is a header that shows you what each column in the access log stands for.  Find the x-virus-id column. on most access logs, its the last column.
  3. Trace this column down,  and look for a named virus, detected by the proxy-AV. If the column is consistently a dash " - " then your proxy AV is not providing the SG with the viruses it has detected.

Watching a test virus being detected by your SG:

To conduct a live troubleshooting trial or a test virus, on a SG,  follow these steps.

  1. Verify if the raw logs contain the virus-ID, here are the following steps.
  2. Login to the ProxySG web interface.
  3. Click on Statistics
  4. Click on Access Logging
  5. Click start Tail (the button is on the bottom)
  6. Have a user go to a test virus, such as http://www.eicar.org/download/eicar.com, and download the test virus.
  7. View the logs and check for x-virus-id tag - often it's the last, or  the second to last entry in the log line.
CPL policy needed to write to the SG access log:
If you find that the PRoxy SG is not writing out the name of the virus to the access logs, you should check to see if this CPL code is configured.
Here is the CPL code the customer used.
 
<Cache>
    response.icap_service.secure_connection(auto)
 
end
 
define Cache policy avscan
<Cache>
    response.icap_service(proxyav, fail_open)
 
end
 
 
NOTE1: If the (x-virus-id) is a – then the ProxySG is not  writing out to the access log, viruses that it finds, or configured appropriately for a PROXY AV.  This article can help you verify if the your two appliances- Proxy AV and the Proxy SG - are  setup properly - PROXY AV
 
NOTE2:  For information on the proper access log fields, needed for Bluecoat Reporter, see 000021974 

NOTE3: For more information on how Viruses are detected, and reported in the access log, see 000010081

Workaround
Additional Information
Bug Number
InQuira Doc IdKB4038
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat