cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
legan
Level 7
Report Inappropriate Content
Message 1 of 1

Download blocked after 2147 seconds

One of our users tries to download a large file. The connection is always broken after 2147 seconds:

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
84 11.7G 84 9.9G 0 0 4874k 0 0:42:12 0:35:47 0:06:25 4623k
curl: (18) transfer closed with 1921582552 bytes remaining to read

This can be reproduced.

When looking at the rule trace, I see the download starts just fine, but then this appears (rule tracing XML):

<?xml version='1.0' encoding='UTF-8'?>
<trace>
<metadata version="2" url="https://www.site.com" filename="10.10.150.57-14_2019.05.15_08_23_14_www.site.com.xml" appl="4209465F-68B7-6FF6-4B7F-08D1EF32E0F2" clientIP="10.10.150.57" clientPort="50964" action="Block" cycle="Request" date="2019-05-15T08:23:14.838+02:00" complete="true"/>
<topitems>
<item name="User-Agent" id ="" value="curl/7.64.1"/>
<item name="URL.Host" id="com.scur.engine.system.url.host" value="www.site.com"/>
<item name="Authentication.Username" id="com.scur.engine.Auth.UserName" value=""/>
<item name="Authentication.Usergroups" id="com.scur.engine.Auth.Attributes" value=""/>
<item name="URL.Categories" id="com.scur.engine.trustedsource.url.categories" value=""/>
<item name="Response.StatusCode" id="com.scur.engine.system.response.statuscode" value="200"/>
<item name="Block.Reason" id="com.scur.engine.system.blockreason" value="Internal error"/>
<item name="Command.Name" id="com.scur.engine.system.command.name" value="CONNECT"/>
</topitems>
<cycle type="Request" no="1" enterTime="1557901394.837" duration="0.000732">
<errorhandler name="Default" id="com.scur.errorhandler.default" idx="92" enterTime="1557901394.837" duration="0.000366">
<expression><condition id="17771" op="always" enterTime="1557901394.837" duration="0.00001">
<result>true</result>
</condition></expression>
<rulegroup name="Long Running Connections" id="17773" idx="93" enterTime="1557901394.837" duration="0.0001">
<expression enterTime="1557901394.837" duration="0.0001">
<condition id="17782" op="equals">
<result>false</result>
<property name="Error.ID" id="com.scur.engine.system.error.id" type="Long" value="20001"/>
<constant type="Long" value="20000"/>
</condition>
</expression>
</rulegroup> <!--'Long Running Connections'-->
<rulegroup name="Block on Anti-Malware Engine Errors" id="17939" idx="94" enterTime="1557901394.837" duration="0.000071">
<expression><condition id="17938" op="always" enterTime="1557901394.837" duration="0.000006">
<result>true</result>
</condition></expression>
<rule name="Block If Anti-Malware Engine Can Not Be Loaded" id="17940" enterTime="1557901394.837" duration="0.000023">
<expression enterTime="1557901394.837" duration="0.000023">
<condition id="17943" op="equals">
<result>false</result>
<property name="Error.ID" id="com.scur.engine.system.error.id" type="Long" value="20001"/>
<constant type="Long" value="14000"/>
</condition>
</expression>
</rule> <!--'Block If Anti-Malware Engine Can Not Be Loaded'-->
<rule name="Block If Anti-Malware Engine Is Overloaded" id="17944" enterTime="1557901394.837" duration="0.000021">
<expression enterTime="1557901394.837" duration="0.000021">
<condition id="17947" op="equals">
<result>false</result>
<property name="Error.ID" id="com.scur.engine.system.error.id" type="Long" value="20001"/>
<constant type="Long" value="14001"/>
</condition>
</expression>
</rule> <!--'Block If Anti-Malware Engine Is Overloaded'-->
<rule name="Block on Internal Anti-Malware Engine Errors" id="17948" enterTime="1557901394.837" duration="0.000021">
<expression enterTime="1557901394.837" duration="0.000021">
<condition id="17951" op="equals">
<result>false</result>
<property name="Error.ID" id="com.scur.engine.system.error.id" type="Long" value="20001"/>
<constant type="Long" value="14002"/>
</condition>
</expression>
</rule> <!--'Block on Internal Anti-Malware Engine Errors'-->
</rulegroup> <!--'Block on Anti-Malware Engine Errors'-->
<rulegroup name="Block on URL Filter Errors" id="17953" idx="95" enterTime="1557901394.837" duration="0.000129">
<expression><and enterTime="1557901394.837" duration="0.000129">
<result>false</result>
<condition id="17964" op="greater than or equals">
<result>true</result>
<property name="Error.ID" id="com.scur.engine.system.error.id" type="Long" value="20001"/>
<constant type="Long" value="15000"/>
</condition>
<condition id="17965" op="less than or equals">
<result>false</result>
<property name="Error.ID" id="com.scur.engine.system.error.id" type="Long" value="20001"/>
<constant type="Long" value="15999"/>
</condition>
</and></expression>
</rulegroup> <!--'Block on URL Filter Errors'-->
<rulegroup name="DLP Filter Errors" id="17967" idx="96" enterTime="1557901394.837" duration="0.000021">
<expression><and enterTime="1557901394.837" duration="0.000021">
<result>false</result>
<condition id="17975" op="greater than or equals">
<result>false</result>
<property name="Error.ID" id="com.scur.engine.system.error.id" type="Long" value="20001"/>
<constant type="Long" value="26000"/>
</condition>
<condition evaluated="false"/></and></expression>
</rulegroup> <!--'DLP Filter Errors'-->
<rulegroup name="Block on All Errors" id="18009" idx="97" enterTime="1557901394.837" duration="0.000035">
<expression><condition id="18008" op="always" enterTime="1557901394.837" duration="0.000006">
<result>true</result>
</condition></expression>
<rule name="Ignore Mail Bomb Warning" id="18010" enterTime="1557901394.837" duration="0.000023">
<expression enterTime="1557901394.837" duration="0.000023">
<condition id="18013" op="equals">
<result>false</result>
<property name="Error.ID" id="com.scur.engine.system.error.id" type="Long" value="20001"/>
<constant type="Long" value="10063"/>
</condition>
</expression>
</rule> <!--'Ignore Mail Bomb Warning'-->
<rule name="Always Block" id="18014" enterTime="1557901394.837" duration="0.000006">
<expression><condition id="18016" op="always" enterTime="1557901394.837" duration="0.000006">
<result>true</result>
</condition></expression>
<action type="Block">
<configuration name="Internal Error" id="com.scur.mainaction.block.17367"/>
</action>
</rule> <!--'Always Block'-->
</rulegroup> <!--'Block on All Errors'-->
</errorhandler> <!--'Default'-->
</cycle>
</trace>

After this error message the following appears in the error log:

[15/May/2019:08:23:15 +0200] "proxy" "-" 10.10.150.57 123.123.10.250 "www.site.com" 200 "-" 901 10737441815 "CONNECT www.site.com:443 HTTP/1.1" "-" "-" 0 "-/-" 1 "Internal error" false "-" false "Unverified" "-" "-" "curl/7.64.1"

So, apparently, the MWG has an 'internal error' and stops the download. I'm trying to find out what causes this internal error. I have looked at all logfiles (either user-defined, mwg-errors and system) but cannot find anything related.

 

 

Any idea what could be causing this or how to investigate?

 

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator