Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Unable to browse through InterScan Web Security Virtual Appliance (IWSVA) after a configuration replication or service restart

    • Updated:
    • 8 Dec 2017
    • Product/Version:
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • Platform:
    • Linux - Red Hat RHEL 6 64-bit
Summary

After a configuration replication or service restart, browsing is not possible on browsers configured to pass through IWSVA.

The most recent HTTP log (var/iwss/log/http.log.yyyymmdd.0001) may contain similar entries as the following:

17:31:19.156 <INF><0:3847:3847> SIGSCAN: [ERROR-]REJECTING CONFIGURATION: configuration data problems recorded @<logToErr> @@<SSLog.cpp:73>
17:31:19.156 <INF><0:3847:3847> SharedInitialization failed: Scan Plug-in SigScan @<CreateScanContextImpl> @@<ScanContextImpl.cpp:4491>

 

Details
Public

This issue may occur due to an incorrect regular expression in the HTTP > HTTP Inspection > Filters section.

To make sure that this is the actual root cause, the next step is to enable verbose logging for HTTP Inspection:

  1. Open the file /etc/iscan/IWSSPISigScan.dsc via a text editor, for example vi:

    vi /etc/iscan/IWSSPISigScan.dsc

  2. Change the following entry:

    FROM:
    logging_level=INFO
    TO:
    logging_level=ALL

  3. Save the file.
  4. Stop and start the HTTP scanning daemon:

    /etc/iscan/S99ISproxy stop
    /etc/iscan/S99ISproxy start

Check the HTTP log again: an entry similar to the following may indicate the HTTP Inspection entry that is problematic: (i.e. "www.example.com")

11:20:39.711 <INF><0:31814:31814> SIGSCAN: [ERROR-]--- CompiledDirective::make: [SDF line 3 - www.example.com NOT GET HOST] Regular expression compile failed at offset 1: [9] nothing to repeat @<logToErr> @@<SSLog.cpp:73>

If this is the case, remove the entry from the IWSVA Inspection filter as indicated in the logs and restart all the services using the below command:

/etc/iscan/rcIwss restart

 
This will interrupt the network traffic for a few minutes so plan accordingly.

Check if browsing is possible.

Online regular expression verifiers may be helpful before adding to IWSVA. For example:

https://regex101.com/

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1118833
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.