it does not make too much sense that the problem persists when a restart was performed. Maybe the request was still queued at the director and handed to the scanning node when it came back after the reboot?
However I strongly recommend to create a feedback of the affected MWG and provide all the information to support. If there is any kind of loop caused by the requests this has to be analyzed, found and fixed by engineering.
thanks for the info. I checked the system today. Customer is testing a "high load" situation where mwg is completely overloaded. This are normal test situations at my customer. Customer is aware, that the system is not reachable during the security scan. But, the system should reach a normal state when the scan finished.
This scan results in an overload of the antimalware queue. The mwg-core error log shows the problem. The qeue is also not cleared after the system is rebooted.
Is it possible to clear the anti-malware queue manually?
@Jon: i also removed the "remove via header" rule to let the via header available for mwg. :-)
Nachricht geändert durch Troja on 26.11.12 18:28:22 MEZ
Hi Andre, hi Jon,
we figured out what is going on with MWG when doing a security scan.
If you start a normal "Webserver Scan" where the URL host is the IP-adress of mwg something starts to loop. If you reboot mwg the system does not reach a normal system state. CPU is running on 100% CPU. After 3 days or more MWG is still running on 100% CPU and the system is not useable.
There is only one way to stop this behavior. A ruleset where the MWG IPs are blocked.
From my opinion this is a bug in the mwg ruleengine.
if not already done are you please able to file a service request?
Please add a tcpdump that shows the start of the security scan to allow us to replicate the problem without having the security scanner. Support will replicate the issue and file a bug with development. They will look at whats happening and fix the issue.
We can't do that from within the community.