These log messages refer to the ANTIVIRUS (Anti-Virus related events) category.
2.5.1. virus_found (ID: 05800001)
- Default Severity
- WARNING
- Log Message
- A virus has been detected in a data stream. Since anti-virus is running in protect mode, the data transfer will be aborted
in order to protect the receiver.
- Explanation
- None
- Firewall Action
- block_data
- Recommended Action
- If the infected file is local, run anti-virus program to clean the file.
- Revision
- 2
- Parameters
- filename
virusname
virussig
advisoryid
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.2. virus_found (ID: 05800002)
- Default Severity
- WARNING
- Log Message
- A virus has been detected in a data stream. Since anti-virus is running in audit mode, the data transfer will be allowed to
continue.
- Explanation
- None
- Firewall Action
- allow_data
- Recommended Action
- If the infected file is local, run anti-virus program to clean the file.
- Revision
- 2
- Parameters
- filename
virusname
virussig
advisoryid
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.3. excluded_file (ID: 05800003)
- Default Severity
- NOTICE
- Log Message
- File <filename> is excluded from scanning. Identified filetype: <filetype>.
- Explanation
- The named file will be excluded from anti-virus scanning. The filetype is present in the anti-virus scan exclusion list.
- Firewall Action
- allow_data_without_scan
- Recommended Action
- None
- Revision
- 1
- Parameters
- filename
filetype
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.4. decompression_failed (ID: 05800004)
- Default Severity
- ERROR
- Log Message
- Decompression error for file <filename>
- Explanation
- The file could not be scanned by the anti-virus module since the decompression of the compressed file failed. Since anti-virus
is running in protect mode, the data transfer will be aborted in order to protect the receiver.
- Firewall Action
- block_data
- Recommended Action
- Change Fail Mode parameter to allow if files that fail decompression should be allowed without scanning.
- Revision
- 1
- Parameters
- filename
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.5. decompression_failed (ID: 05800005)
- Default Severity
- ERROR
- Log Message
- Decompression error for file <filename>
- Explanation
- The file could not be scanned by the anti-virus module since the decompression of the compressed file failed. Since anti-virus
is running in audit mode, the data transfer will be allowed to continue.
- Firewall Action
- allow_data
- Recommended Action
- Change Fail Mode parameter to deny if files that fail decompression should be blocked.
- Revision
- 1
- Parameters
- filename
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.6. compression_ratio_violation (ID: 05800007)
- Default Severity
- WARNING
- Log Message
- Compression ratio violation for file <filename>. Compression ratio threshold: <comp_ratio>
- Explanation
- Anti-virus has scanned a compressed file with a compression ratio higher than the specified value. Action is set to continue
scan.
- Firewall Action
- abort_scan
- Recommended Action
- Files with too high compression ratio can consume large amount of resources. This can be a DoS attack.
- Revision
- 2
- Parameters
- filename
comp_ratio
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.7. compression_ratio_violation (ID: 05800008)
- Default Severity
- WARNING
- Log Message
- Compression ratio violation for file <filename>. Compression ratio threshold: <comp_ratio>
- Explanation
- Anti-virus has scanned a compressed file with a compression ratio higher than the specified value. Action is set to continue
scan.
- Firewall Action
- block_data
- Recommended Action
- Files with too high compression ratio can consume large amount of resources. This can be a DoS attack.
- Revision
- 2
- Parameters
- filename
comp_ratio
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.8. out_of_memory (ID: 05800009)
- Default Severity
- ERROR
- Log Message
- Out of memory
- Explanation
- Memory allocation failed. Since anti-virus is running in audit mode, the data transfer will be allowed to continue.
- Firewall Action
- allow_data
- Recommended Action
- Try to free some memory by changing configuration parameters.
- Revision
- 1
- Parameters
- filename
filetype
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.9. out_of_memory (ID: 05800010)
- Default Severity
- ERROR
- Log Message
- Out of memory
- Explanation
- Memory allocation failed. Since anti-virus is running in protect mode, the data transfer will be aborted in order to protect
the receiver.
- Firewall Action
- block_data
- Recommended Action
- Try to free some memory by changing configuration parameters.
- Revision
- 1
- Parameters
- filename
filetype
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.10. virus_scan_failure (ID: 05800011)
- Default Severity
- ERROR
- Log Message
- Anti-virus scan engine failed for the file: <filename>
- Explanation
- An error occured in the anti-virus scan engine. Since anti-virus is running in protect mode, the data transfer will be aborted
in order to protect the receiver.
- Firewall Action
- block_data
- Recommended Action
- None
- Revision
- 1
- Parameters
- filename
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.11. virus_scan_failure (ID: 05800012)
- Default Severity
- ERROR
- Log Message
- Anti-virus scan engine failed for the file: <filename>
- Explanation
- An error occured in the anti-virus scan engine. Since anti-virus is running in audit mode, the data transfer will be allowed
to continue.
- Firewall Action
- allow_data
- Recommended Action
- None
- Revision
- 1
- Parameters
- filename
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.12. no_valid_license (ID: 05800015)
- Default Severity
- CRITICAL
- Log Message
- AVSE: Virus scanning aborted. No valid license present.
- Explanation
- Anti-virus scanning is aborted since there is no valid license present.
- Firewall Action
- av_scanning_aborted
- Recommended Action
- If anti-virus scanning is wanted, you must get a valid license with anti-virus capabilities. Anti-virus scanning can be turned
off in order to avoid future postings of this log message.
- Revision
- 2
- Context Parameters
- ALG Session ID
2.5.13. av_signatures_missing (ID: 05800016)
- Default Severity
- CRITICAL
- Log Message
- AVSE: Virus scanning aborted. Not all virus signatures present.
- Explanation
- Anti-virus scanning is aborted since there is local anti-virus signature databases missing.
- Firewall Action
- av_scanning_denied
- Recommended Action
- Connect your firewall to the Internet and download the anti-virus databases or configure automatic updates of anti-virus.
- Revision
- 4
- Context Parameters
- ALG Session ID
2.5.14. general_engine_error (ID: 05800017)
- Default Severity
- CRITICAL
- Log Message
- AVSE: Virus scanning aborted. General error occured during initialization.
- Explanation
- Anti-virus scanning is aborted since the scan engine returned a general error during initialization.
- Firewall Action
- av_scanning_aborted
- Recommended Action
- Try to restart the unit in order to solve this issue.
- Revision
- 2
- Context Parameters
- ALG Session ID
2.5.15. out_of_memory (ID: 05800018)
- Default Severity
- CRITICAL
- Log Message
- AVSE: Virus scanning aborted. Out of memory during initialization.
- Explanation
- Anti-virus scanning is aborted since the scan engine run out of memory during initialization.
- Firewall Action
- av_scanning_denied
- Recommended Action
- Review your configuration in order to free up more RAM.
- Revision
- 2
- Context Parameters
- ALG Session ID
2.5.16. virus_url_detected (ID: 05800020)
- Default Severity
- WARNING
- Log Message
- Virus infected URL found in URL <url>. Advisory ID: <advisoryid>.
- Explanation
- A virus infected URL request has been detected. Since anti-virus is running in protect mode, the request will be aborted in
order to protect the receiver.
- Firewall Action
- block_data
- Recommended Action
- None
- Revision
- 1
- Parameters
- url
advisoryid
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.17. virus_url_detected (ID: 05800021)
- Default Severity
- WARNING
- Log Message
- Virus infected URL found in URL <url>. Advisory ID: <advisoryid>.
- Explanation
- A virus infected URL request has been detected. Since anti-virus is running in audit mode, the request will be allowed to
continue.
- Firewall Action
- allow_data
- Recommended Action
- None
- Revision
- 1
- Parameters
- url
advisoryid
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.18. decompression_failed_encrypted_file (ID: 05800024)
- Default Severity
- WARNING
- Log Message
- Decompression failed for file <filename>. The file is encrypted.
- Explanation
- The file could not be scanned by the anti-virus module since the compressed file is encrypted with password protection. Since
anti-virus is running in protect mode, the data transfer will be aborted in order to protect the receiver.
- Firewall Action
- block_data
- Recommended Action
- Change Fail Mode parameter to allow if files that fail decompression should be allowed without scanning.
- Revision
- 1
- Parameters
- filename
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.19. decompression_failed_encrypted_file (ID: 05800025)
- Default Severity
- WARNING
- Log Message
- Decompression failed for file <filename>. The file is encrypted.
- Explanation
- The file could not be scanned by the anti-virus module since the compressed file is encrypted with password protection. Since
anti-virus is running in audit mode, the data transfer will be allowed to continue.
- Firewall Action
- allow_data
- Recommended Action
- Change Fail Mode parameter to deny if files that fail decompression should be blocked.
- Revision
- 1
- Parameters
- filename
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.20. out_of_memory (ID: 05800027)
- Default Severity
- CRITICAL
- Log Message
- Out of memory while allocating anti-virus cache entry.
- Explanation
- An attempt to add a detected virus to the anti-virus cache failed since the system has run out of memory. .
- Firewall Action
- ignore
- Recommended Action
- Try to free some memory by changing configuration parameters.
- Revision
- 1
2.5.21. max_archive_depth_exceeded (ID: 05800028)
- Default Severity
- WARNING
- Log Message
- The file <filename> has too many archive levels. Maximum allowed is <max_depth>.
- Explanation
- The file archive exceeds the maximum allowed depth. Since Fail Mode is set to Deny the data transfer will be aborted in order
to protect the receiver.
- Firewall Action
- block_data
- Recommended Action
- Change Fail Mode parameter to Allow if files that fail decompression should be allowed without scanning. Increase the Max.
Archive Depth parameter to allow deeper files to be scanned.
- Revision
- 1
- Parameters
- filename
max_depth
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.22. max_archive_depth_exceeded (ID: 05800029)
- Default Severity
- WARNING
- Log Message
- The file <filename> has too many archive levels. Maximum allowed is <max_depth>.
- Explanation
- The file archive exceeds the maximum allowed depth. Since Fail Mode is set to Allow the data transfer will be allowed to continue.
- Firewall Action
- allow_data
- Recommended Action
- Change Fail Mode parameter to Deny if files that fail decompression should be blocked. Increase the Max. Archive Depth parameter
to allow deeper files to be scanned.
- Revision
- 1
- Parameters
- filename
max_depth
[layer7_srcinfo]
[layer7_dstinfo]
- Context Parameters
- ALG Module Name
ALG Session ID
Connection
2.5.23. unknown_encoding (ID: 05800182)
- Default Severity
- WARNING
- Log Message
- SMTPALG: Content transfer encoding is unknown or not present
- Explanation
- Antivirus module cannot scan the attachment since the transfer encoding is missing or unknown. Fail Mode is deny so data is
blocked.
- Firewall Action
- block_data
- Recommended Action
- None
- Revision
- 1
- Parameters
- filename
unknown_content_transfer_encoding
sender_email_address
recipient_email_addresses:
- Context Parameters
- ALG Module Name
ALG Session ID
2.5.24. unknown_encoding (ID: 05800183)
- Default Severity
- WARNING
- Log Message
- SMTPALG: Content transfer encoding is unknown or not present.
- Explanation
- Antivirus module cannot scan the attachment since the transfer encoding is missing or unknown. Fail Mode is allow so data
is allowed without scanning.
- Firewall Action
- allow_data_without_scan
- Recommended Action
- Research the Content Transfer Encoding format.
- Revision
- 1
- Parameters
- filename
unknown_content_transfer_encoding
sender_email_address
recipient_email_addresses
- Context Parameters
- ALG Module Name
ALG Session ID
2.5.25. unknown_encoding (ID: 05800184)
- Default Severity
- WARNING
- Log Message
- POP3ALG: Content transfer encoding is unknown or not present
- Explanation
- Antivirus module cannot scan the attachment since the transfer encoding is missing or unknown. Fail Mode is deny so data is
blocked.
- Firewall Action
- block_data
- Recommended Action
- None
- Revision
- 1
- Parameters
- filename
unknown_content_transfer_encoding
sender_email_address
- Context Parameters
- ALG Module Name
ALG Session ID
2.5.26. unknown_encoding (ID: 05800185)
- Default Severity
- WARNING
- Log Message
- POP3ALG: Content transfer encoding is unknown or not present.
- Explanation
- Antivirus module cannot scan the attachment since the transfer encoding is missing or unknown. Fail Mode is allow so data
is allowed without scanning.
- Firewall Action
- allow_data_without_scan
- Recommended Action
- Research the Content Transfer Encoding format.
- Revision
- 1
- Parameters
- filename
unknown_content_transfer_encoding
sender_email_address
- Context Parameters
- ALG Module Name
ALG Session ID
2.5.27. unknown_encoding (ID: 05800654)
- Default Severity
- WARNING
- Log Message
- IMAPALG: Content transfer encoding is unknown or not present
- Explanation
- Antivirus module cannot scan the attachment since the transfer encoding is missing or unknown. Fail Mode is deny so data is
blocked.
- Firewall Action
- block_data
- Recommended Action
- None
- Revision
- 2
- Parameters
- filename
unknown_content_transfer_encoding
sender_email_address
- Context Parameters
- ALG Module Name
ALG Session ID
2.5.28. unknown_encoding (ID: 05800655)
- Default Severity
- WARNING
- Log Message
- IMAPALG: Content transfer encoding is unknown or not present.
- Explanation
- Antivirus module cannot scan the attachment since the transfer encoding is missing or unknown. Fail Mode is allow so data
is allowed without scanning.
- Firewall Action
- allow_data_without_scan
- Recommended Action
- Research the Content Transfer Encoding format.
- Revision
- 2
- Parameters
- imap_userid
imap_mailbox
imap_msg_uid
imap_msg_sequence_number
imap_mail_size
filename
unknown_content_transfer_encoding
sender_email_address
- Context Parameters
- ALG Module Name
ALG Session ID
cOS Core 15.00.01 Log Reference Guide
