AV Scan Errors
T-20
OS 12.6.1
Over the weekend I noticed a lot of websites were either failing to load or partially loading. I initially blamed it on DPI scanning but when I disabled DPI the issues persisted.
Looking at my traffic logs I see tons of these deny messages all with the "bd scanner is not created" in the log file.
No policies, proxy's, or configurations have been changed (other than disabling DPI as a test)
A quick web search says open a support ticket but I want to see what the community says first.
Sample traffic log:
2020-12-14 14:25:29 Deny 10.0.1.25 35.209.172.82 http/tcp 65208 80 1-Trusted 0-External ProxyDrop: HTTP AV scanning error (HTTP-proxy-00) HTTP-Client.-Outbound.1 proc_id="http-proxy" rc="594" msg_id="1AFF-0029" proxy_act="HTTP-Client.-Outbound.1" error="bd scanner is not created" host="xxxxxxxxxxxxx" path="/wp-content/plugins/wp-carousel/js/stepcarousel.js?ver=3cc027f836689f0f19bbea2572d6bb62" geo_dst="USA"
AV actions are to drop the connection when a scan error occurs and the File Scan limit is set to 4096 KB.
Thoughts and Thanks!
- Doug
It's usually something simple.
Comments
The latest version for a T20 is V12.6.2 Update 3.
https://software.watchguard.com/SoftwareHome
My scan limit is set to 1024 kb.
Consider upgrading your firewall 1st.
bd_scanner not created is usually indicative of the AV definitions being downloaded. Go to the subscription services tab in WebUI or Firebox system manager and make sure they say the definitions for DLP & AV are current. If it shows 1970, 1960, or 1969 as the year, there are no definitions on your firewall.
-James Carson
WatchGuard Customer Support
Hey James,
I did that prior to posting, sorry I neglected to include that information.
Today's AV updates:
12/15/20, 2:51:36 AM PST 20201215.45 Success Update success
12/15/20, 5:52:15 AM PST 20201215.45 Success Update success
12/15/20, 8:51:52 AM PST 20201215.645 Success Update success
My scan limit was initially set to 1024 but I upped it to 4096 thinking the limitation may have something to do with the scan failures. Granted 4096 may be a tad high for the T-20's processing power, but the change is temporary.
It's usually something simple.
@shaazaminator
Depending on how much traffic the firewall is experiencing, 4096 might be fine, or it might be consuming too much RAM on the firewall. (The firewall will hold whatever file it's scanning in RAM while that happens.) 4096 means hold a file up to that size. One or two files isn't a problem. 50 or 100 at a time on a small firewall could be.
It'll all just depend on what your traffic/usage looks like.
Personally, I prefer to move things around by doubling or halving them, then fine tuning once I get to a sweet spot. If 4096 doesn't work, try 2048 and work up/down from there.
*edit: closed parenthesis
-James Carson
WatchGuard Customer Support