Bug ID 800453: False positive virus violations

Last Modified: Nov 15, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 15.0.0, 15.0.1

Fixed In:
13.1.3.2

Opened: Jun 30, 2019
Severity: 3-Major

Symptoms

False positive ASM virus violations.

Impact

False positive blocking or violation reporting.

Conditions

Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM. ASM reports a virus when the antivirus reply is timed out.

Workaround

The EnableASMByPass internal parameter setting can be configured to allow the antivirus server to not reply, so it won't issue a violation when it occurs. /usr/share/ts/bin/add_del_internal add EnableASMByPass 1 bigstart restart asm Notes: When the internal is enabled, asm will also bypass huge HTTP requests (when they come on multiple connections) instead of reseting them.

Fix Information

None

Behavior Change