IWSVA uses /var/iwss/tmp/v_tmpfs as tmpfs (in-memory file system) temporary directory to extract compressed files during the scan. "Hard Drive" in Threshold Alerts also monitors this partition.
The size of /var/iwss/tmp/v_tmpfs is 512 MB by default regardless of the size of the actual hard drive. Therefore, scanning many compressed files or a compressed file including many files might decrease the space of /var/iwss/tmp/v_tmpfs and trigger the notification.
To alleviate the issue, do either of the following:
Pro(s)
- Any impact on the performance is quite unlikely because this just increases the maximum size of the tmpfs directory.
Con(s)
- Additional memory might be necessary, and the amount depends on the circumstances of your IWSVA. For example, you should add 2 GB of memory if you increase the size of v_tmpfs by 2 GB.
- The change might be reverted into the default value after applying a Hot fix or a Patch. You need to change the value again after that.
To increase the size of /var/iwss/tmp/v_tmpfs:
-
Stop all of the IWSVA services.
# /etc/iscan/rcIwss stop
Note: This will interrupt the network traffic for a few minutes so plan accordingly. - Use vi to edit the file /etc/iscan/S99ISproxy:
#vi /etc/iscan/S99ISproxy
The default value is:---------------------------------- mount tmpfs $V_TMPFSDIR -t tmpfs -o size=512M ----------------------------------
To change the size to 2 GB modify it as following:
---------------------------------- mount tmpfs $V_TMPFSDIR -t tmpfs -o size=2G ----------------------------------
Pro(s)
- IWSVA can use the free space of the actual hard drive so this prevents IWSVA from sending the Threshold Alerts notification. As a reference, IWSVA 6.5 earlier than Service Pack 2 uses the hard drive directory as the temporary directory.
Con(s)
- Compared with using the v_tmpfs directory, the performance for scanning compressed files is affected because of using the hard drive.
To change the temporary directory:
-
Stop all of the IWSVA services.
# /etc/iscan/rcIwss stop
Note: This will interrupt the network traffic for a few minutes so plan accordingly. - Use vi to edit the file /etc/iscan/intscan.ini:
#vi /etc/iscan/S99ISproxy -
Change the following setting in [Scan-configuration] section.
---------------------------------- tmpdir=/etc/iscan/tmp/v_tmpfs ----------------------------------
To make IWSVA use the hard drive directory:
---------------------------------- tmpdir=/etc/iscan/tmp ----------------------------------
Note: There are many parameters named "tmpdir". Please make sure to change the one under [Scan-configuration]. - Save the file and quit.
-
Start all of the IWSVA services.
# /etc/iscan/rcIwss start
Miscellaneous:
The insufficient space in /etc/iscan/tmp/v_tmpfs also leads to the block of compressed files with a "Failed_Extract_File" scan result. The aforementioned settings are workarounds for the block.
You can also change how IWSVA treats "Failed_Extract_File" scan result.
For more details, refer to the KB article: Non-malware files are unexpectedly blocked in InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2.