I run into a problem while testing upgrade from 188.8.131.52 to 184.108.40.206. I have a bunch of developpers who use an appliance on 220.127.116.11 while productive use is still on a 18.104.22.168 HA cluster.
When a developper downloaded hxxp:// download-cf.jetbrains.com/idea/ideaIU-2016.2.4.exe the antimalware-engine got blocked and all further requests were blocked because of that. That's something I really can't afford in production.
I opened a ticket via our support partner but they only tell us that there is someting wrong with that file. I know I can just bypass that download site but I think this is a bug which should be resolved.
This is the line in mwg-core.errors.log when the error ID 14003 happens:
[2016-10-20 12:39:31.373 +02:00] [AV] [AVError] Error in AntivirusFilter: 'Call to external Anti-Malware engine provided error: Scanning job download-cf.jetbrains.com/idea/ideaIU-2016.2.4.exe" didn't finish in time (current queue length is 0).'.
This happens after about 2 minutes of the scan process.
As I use a really small model for tests I wonder if this bug only has an impact when ressources are small. Therefore I wonder if someone could download this file in a production environment without the antimalware-engine getting blocked for further requests.
BTW: I could reproduce this on a freshly installed system with the original McAfee ruleset with the first request on it. And also when downloading the same file from my private webserver just using HTTP instead of HTTPS.
Solved! Go to Solution.
So, this problem is finally resolved with release 22.214.171.124 and this comment:
Downloading a file on Web Gateway could not be completed, as performing anti-malware scanning
for the file with anti-malware heuristics enabled led to a timeout, which was due to inadequate
communication between the core and anti-malware processes. (1165648)
In the meantime I got an anwser back from McAfee via our support partner. It is some bug which will be fixed in next release. It's said to be a problem handling GTI results if I understood correclty. I don't know how high the probabliliy to trigger this bug is, but our support partner has other customers facing the same problem. I will wait for next release before I upgrade to 7.6.
would you mind sharing the bug number? I am having the exact same issue and just opened a case on Friday but they haven't mentioned anything about a bug.
Our support partner opened the ticket. They told me it was 4-16131229031. I cannot verify it nor do I have insights of the communication between them and McAfee.
the error AJ describe looks similar, but they isn't any proof at this time that you face the same issue. If you get this error for only one or a handful of files the chance might be bigger. You can open new SR to get this checked or wait for 126.96.36.199 that will be released soon. You can check the release notes then for fixed errors with the ID 1165648.
P.S.: checking mentioned resource I was blocked by the destination Server. Test wasn't possible in the lab.
I have stored the file also on another webserver. If you tell me you mail address I can send the link for you to test.
did you tested this negative from this resource as well?
otherwise testing might not be meaningful. As far I understood the issue it is all about a special resources and to those related GTI reputation. If you need clear statement of you're affected or not. Please create new service request. Technical Support will assist you with troubleshooting and get the confirmation from engineering if required.
Yes, I reproduced the error on both the original ressource and on my own server using the same download file. I don't see a need to open a new SR as my old one was closed with reference to fix in 188.8.131.52
In the meantime I have upgraded our production environment to 184.108.40.206 despite this bug. And today I had to deal with an incident ticket of a user not being able to download for this URL:
Is anyone of you guys able to download this file using common antimalware handling?