InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2 occasionally blocks compressed files although they are not malware files.
Those that are blocked are shown as "Failed_Extract_File" in the scan results.
This article explains when a "Failed_Extract_File" scan result occurs and gives you the workaround steps to skip the block.
IWSVA returns the read error (return code:-96/-94) when scanning under the following circumstances:
- The header information of the compressed file is classified as invalid.
- There is insufficient space in the temporary directory to extract compressed files. For more details, refer to the KB article: Threshold Alerts notification sent despite sufficient disk space in InterScan Web Security Virtual Appliance (IWSVA) 6.5.
- There is insufficient disk space for scanning.
In such cases, the IWSVA's scan result for the files is "Failed_Extract_File" and they are blocked by default because they might be malicious.
If you want IWSVA not to block them, do the following:
- Log on to IWSVA as root via SSH (for example with a SSH shell such as PuTTy).
-
Create a backup copy of /etc/iscan/IWSSPIScanVsapi.dsc:
# cp /etc/iscan/IWSSPIScanVsapi.dsc /etc/iscan/IWSSPIScanVsapi.dsc.bak
-
Use vi to edit the file /etc/iscan/IWSSPIScanVsapi.dsc:
# vi /etc/iscan/IWSSPIScanVsapi.dsc
-
Add the following line in the [Scan-configuration] section.
skip_read_error=yes
- Save the file and quit.
-
Run the following commands to restart the FTP/HTTP scan services:
# /etc/iscan/S99ISftp stop
# /etc/iscan/S99ISftp start# /etc/iscan/S99ISproxy stop
# /etc/iscan/S99ISproxy start
