Bug ID 800453: False positive virus violations

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2

Fixed In:
15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2

Opened: Jun 30, 2019

Severity: 3-Major

Related Article: K72252057

Symptoms

False positive ASM virus violations.

Impact

ASM reports a virus when the antivirus reply is timed out. False positive blocking or violation reporting.

Conditions

Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM.

Workaround

Configure the EnableASMByPass internal parameter setting to allow the antivirus server to not reply, so it does not issue a violation when it occurs: /usr/share/ts/bin/add_del_internal add EnableASMByPass 1 bigstart restart asm Note: When the internal parameter is enabled, ASM also bypasses huge HTTP requests (when they come on multiple connections) instead of resetting them.

Fix Information

False positive ASM virus violations no longer occur under these conditions.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips