The reports that show virus activity are empty.

<< Back to Knowledge Search



The "Potential Threats" report shows no viral activity.

The "ProxyAV Mal ware Detected" report shows no viral activity.

The "Potential Malware infected Clients" Report is empty.

Reports are not declaring virus related activity, in Reporter.


For Reporter to report on viruses on your network, it needs to have first detected evidence of such in the access logs,  it processes through.  This article suggests two ways you can troubleshoot why you may not be seeing virus activity in your reports.

Checking your access logs:

To check you access log to see if it's registered any virus activity , follow these steps:

  1. Find a access log, and open it in a text editor, such as Notepad for Windows, or VI for LINUX.
    • You may have to unzip the access log first, or renamed it from a *.done file name to a *.zip, and then unzip it.
  2. At the top of each access log, is a header that shows you what each column in the access log stands for.  Find the x-virus-id column. on most access logs, its the last column.
  3. Trace this column down,  and look for a named virus, detected by the proxy-AV. If the column is consistently a dash " - " then your proxy AV is not providing the SG with the viruses it has detected.

Watching a test virus being detected by your SG:

To conduct a live troubleshooting trial or a test virus, on a SG,  follow these steps.

  1. Verify if the raw logs contain the virus-ID, here are the following steps.
  2. Login to the ProxySG web interface.
  3. Click on Statistics
  4. Click on Access Logging
  5. Click start Tail (the button is on the bottom)
  6. Have a user go to a test virus, such as, and download the test virus.
  7. View the logs and check for x-virus-id tag - often it's the last, or  the second to last entry in the log line.
CPL policy needed to write to the SG access log:
If you find that the PRoxy SG is not writing out the name of the virus to the access logs, you should check to see if this CPL code is configured.
Here is the CPL code the customer used.
define Cache policy avscan
    response.icap_service(proxyav, fail_open)
NOTE1: If the (x-virus-id) is a – then the ProxySG is not  writing out to the access log, viruses that it finds, or configured appropriately for a PROXY AV.  This article can help you verify if the your two appliances- Proxy AV and the Proxy SG - are  setup properly - PROXY AV
NOTE2:  For information on the proper access log fields, needed for Bluecoat Reporter, see 000021974 

NOTE3: For more information on how Viruses are detected, and reported in the access log, see 000010081

Additional Information
Bug Number
InQuira Doc IdKB4038

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/30/2014
Last Published      10/30/2014
Article Audience
Product      AV810
Topic      Access Logging, Application Delivery Network, Authentication, Database, Debugging, Reporting
Article Number      000014000
Was this helpful?
Previous MonthNext Month