Virus scanner blocking/messing up traffic?

[MoreDakka]

Well I've got a CentOS box that I was doing some yum installs to today and when I tried I get some errors:

With the Virus Scanner enabled:

Code:

[root@testbox tmp]# yum install net-snmp php php-mysql php-snmp rrdtool apache
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package php.i386 0:5.1.6-12.el5 set to be updated
---> Package php-snmp.i386 0:5.1.6-12.el5 set to be updated
---> Package php-mysql.i386 0:5.1.6-12.el5 set to be updated
---> Package net-snmp.i386 1:5.3.1-14.0.1.el5 set to be updated
--> Running transaction check
--> Processing Dependency: php-common = 5.1.6-12.el5 for package: php
--> Processing Dependency: php-common = 5.1.6-12.el5 for package: php-snmp
--> Processing Dependency: libnetsnmp.so.10 for package: php-snmp
--> Processing Dependency: libgmp.so.3 for package: php
--> Processing Dependency: libnetsnmpagent.so.10 for package: net-snmp
--> Processing Dependency: libsensors.so.3 for package: net-snmp
--> Processing Dependency: php-pdo for package: php-mysql
--> Processing Dependency: httpd-mmn = 20051115 for package: php
--> Processing Dependency: libnetsnmphelpers.so.10 for package: net-snmp
--> Processing Dependency: libnetsnmpmibs.so.10 for package: net-snmp
--> Processing Dependency: php-cli = 5.1.6-12.el5 for package: php
--> Processing Dependency: libnetsnmptrapd.so.10 for package: net-snmp
--> Processing Dependency: php-common = 5.1.6-12.el5 for package: php-mysql
--> Processing Dependency: libnetsnmp.so.10 for package: net-snmp
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for php-pdo to pack into transaction set.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
http://centos.secsup.org/5.0/updates/i386/RPMS/php-pdo-5.1.6-12.el5.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
http://centos.westmancom.com/5.0/updates/i386/RPMS/php-pdo-5.1.6-12.el5.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
http://mirrors.gigenet.com/centos/5.0/updates/i386/RPMS/php-pdo-5.1.6-12.el5.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
http://ftp.telus.net/pub/centos/5.0/updates/i386/RPMS/php-pdo-5.1.6-12.el5.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
http://centos.arcticnetwork.ca/5.0/updates/i386/RPMS/php-pdo-5.1.6-12.el5.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
http://mirrors.kernel.org/centos/5.0/updates/i386/RPMS/php-pdo-5.1.6-12.el5.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
http://mirror.stanford.edu/yum/pub/centos/5.0/updates/i386/RPMS/php-pdo-5.1.6-12.el5.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
http://centos.mirrors.tds.net/pub/linux/centos/5.0/updates/i386/RPMS/php-pdo-5.1.6-12.el5.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.
Error: failure: RPMS/php-pdo-5.1.6-12.el5.i386.rpm from updates: [Errno 256] No more mirrors to try.

When I shut the virus scanner down, everything goes through no problem:

Code:

[root@testbox tmp]# yum install net-snmp php php-mysql php-snmp rrdtool apache
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package php.i386 0:5.1.6-12.el5 set to be updated
---> Package php-snmp.i386 0:5.1.6-12.el5 set to be updated
---> Package php-mysql.i386 0:5.1.6-12.el5 set to be updated
---> Package net-snmp.i386 1:5.3.1-14.0.1.el5 set to be updated
--> Running transaction check
--> Processing Dependency: php-common = 5.1.6-12.el5 for package: php
--> Processing Dependency: php-common = 5.1.6-12.el5 for package: php-snmp
--> Processing Dependency: libnetsnmp.so.10 for package: php-snmp
--> Processing Dependency: libgmp.so.3 for package: php
--> Processing Dependency: libnetsnmpagent.so.10 for package: net-snmp
--> Processing Dependency: libsensors.so.3 for package: net-snmp
--> Processing Dependency: php-pdo for package: php-mysql
--> Processing Dependency: httpd-mmn = 20051115 for package: php
--> Processing Dependency: libnetsnmphelpers.so.10 for package: net-snmp
--> Processing Dependency: libnetsnmpmibs.so.10 for package: net-snmp
--> Processing Dependency: php-cli = 5.1.6-12.el5 for package: php
--> Processing Dependency: libnetsnmptrapd.so.10 for package: net-snmp
--> Processing Dependency: php-common = 5.1.6-12.el5 for package: php-mysql
--> Processing Dependency: libnetsnmp.so.10 for package: net-snmp
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for php-pdo to pack into transaction set.
php-pdo-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
---> Package php-pdo.i386 0:5.1.6-12.el5 set to be updated
---> Downloading header for php-common to pack into transaction set.
php-common-5.1.6-12.el5.i 100% |=========================|  19 kB    00:00
---> Package php-common.i386 0:5.1.6-12.el5 set to be updated
---> Downloading header for httpd to pack into transaction set.
httpd-2.2.3-7.el5.centos. 100% |=========================|  54 kB    00:00
---> Package httpd.i386 0:2.2.3-7.el5.centos set to be updated
---> Downloading header for php-cli to pack into transaction set.
php-cli-5.1.6-12.el5.i386 100% |=========================|  17 kB    00:00
---> Package php-cli.i386 0:5.1.6-12.el5 set to be updated
---> Downloading header for net-snmp-libs to pack into transaction set.
net-snmp-libs-5.3.1-14.0. 100% |=========================|  26 kB    00:00
---> Package net-snmp-libs.i386 1:5.3.1-14.0.1.el5 set to be updated
---> Downloading header for lm_sensors to pack into transaction set.
lm_sensors-2.10.0-3.1.i38 100% |=========================|  26 kB    00:00
---> Package lm_sensors.i386 0:2.10.0-3.1 set to be updated
---> Downloading header for gmp to pack into transaction set.
gmp-4.1.4-10.el5.i386.rpm 100% |=========================|  10 kB    00:00
---> Package gmp.i386 0:4.1.4-10.el5 set to be updated
--> Running transaction check
--> Processing Dependency: libapr-1.so.0 for package: httpd
--> Processing Dependency: libaprutil-1.so.0 for package: httpd
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for apr-util to pack into transaction set.
apr-util-1.2.7-6.i386.rpm 100% |=========================| 7.3 kB    00:00
---> Package apr-util.i386 0:1.2.7-6 set to be updated
---> Downloading header for apr to pack into transaction set.
apr-1.2.7-11.i386.rpm     100% |=========================|  10 kB    00:00
---> Package apr.i386 0:1.2.7-11 set to be updated
--> Running transaction check
--> Processing Dependency: libpq.so.4 for package: apr-util
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for postgresql-libs to pack into transaction set.
postgresql-libs-8.1.9-1.e 100% |=========================|  15 kB    00:00
---> Package postgresql-libs.i386 0:8.1.9-1.el5 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 net-snmp                i386       1:5.3.1-14.0.1.el5  updates           699 k
 php                     i386       5.1.6-12.el5     updates           1.2 M
 php-mysql               i386       5.1.6-12.el5     updates            82 k
 php-snmp                i386       5.1.6-12.el5     updates            27 k
Installing for dependencies:
 apr                     i386       1.2.7-11         base              122 k
 apr-util                i386       1.2.7-6          base               75 k
 gmp                     i386       4.1.4-10.el5     base              664 k
 httpd                   i386       2.2.3-7.el5.centos  updates           1.1 M
 lm_sensors              i386       2.10.0-3.1       base              494 k
 net-snmp-libs           i386       1:5.3.1-14.0.1.el5  updates           1.1 M
 php-cli                 i386       5.1.6-12.el5     updates           2.2 M
 php-common              i386       5.1.6-12.el5     updates           139 k
 php-pdo                 i386       5.1.6-12.el5     updates            61 k
 postgresql-libs         i386       8.1.9-1.el5      updates           196 k

Transaction Summary
=============================================================================
Install     14 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 8.2 M
Is this ok [y/N]:

So What could be the problem here. It's only when I have the virus scanner enabled does it mess up the yum connection. I'm not sure what to do. I can try different levels of scanning as well.

Thanks.

[MoreDakka]

Well it seems that it's the "disable FTP download resume" that messes that up. Not really sure why but it does. I'll just disable that and see anyone has any idea why.

Thanks.

[MoreDakka]

So I lied on that last statement. I just tried to do another update with yum, different files and it blocked traffic again. So I'm not sure what's going on. I had to disable the virus scanner to let the connection connect again.

[MarkF]

Hi, MoreDakka!

This isn't unusual. Astaro had the same problem for years, and it's due to improper handling of HTTP range headers by the "transparent" HTTP proxy. The workaround in Astaro was to explicitly bypass the HTTP proxy for Linux machines, but I don't see an obvious means to do that in untangle without removing the machines from firewall protection completely (i.e. assigning the machines to No Rack), unless you use the Professional version.

FYI!
MarkF

[MoreDakka]

Well doesn't that suck now. :-/ Oh well, "most" of the linux stuff is "safe" so it should be alright but it sucks that I can't have those boxes behind the virus scanner because of improper handling. Is this something that Untangle programers are looking to fix in future releases or it this one of those "live with it" type of situations? (I would help with the programming but I'm pretty sure the whole thing would stop working if I was to try to do something like that..haha).

Thanks for the info.

[dmorris]

If you could provide a couple tcpdump records on the inside and outside interface while doing a yum update.

tcpdump -i eth0 -s 0 -w eth0.yum.ptrace "tcp port 80" &
tcpdump -i eth1 -s 0 -w eth1.yum.ptrace "tcp port 80" &
<<do a yum update>>
killall tcpdump

then email them to us @ support@untangle.com

then we can file a bug and fix it - otherwise its hard to tell whats going on.

[MoreDakka]

sure, now it's not doing it. I'll get those logs to you as soon as it errors on me again.

Thanks!

[MarkF]

Hi, DMorris!

I'm unfortunately not set up right now to give you the logs, but it's an easy problem to understand. Yum requests only a portion of the file using the HTTP 1.1 range header extensions, but at least with Astaro, the transparent proxy delivers the complete file.

If you Google 'http range request yum', you'll see that this is a common problem with proxies, and yes, it failed for me with Untangle, as well. This comes and goes dependent upon the server that you actually connect with and its specific capabilities.

Best Regards,
MarkF

[woodrowbone]

Hi all!
I have the same problem to get my mail, I am using Thunderbird under XP.
When I turn off the virus/spam/Phish blocker it works like a charm.
I get this message from Thunderbird mail client:"The RETR command did not succeed. Error retrieving a message"

Any ideas

[Stielf]

Untangle works great except for once a week or so I get an email in that causes this same problem.

"I have the same problem to get my mail, I am using Thunderbird under XP.
When I turn off the virus/spam/Phish blocker it works like a charm.
I get this message from Thunderbird mail client:"The RETR command did not succeed. Error retrieving a message"

I use an Mdeamon Mail Server behind my Untangle computer. I get the error recieving message on an email that has a blank message. The email server will read thru the email list with no problem and time out when it hits the bad email while downloading it. Then it does this over and over again.

I can go on the ISP's web mail client and delete the email that Untangle hangs on and everything will start working correctly. I can also shut off the Untangle Virus module and reboot the Untangle server to fix the problem also.

I get this on multiple Untangle Servers that have an Mdeamon email server behind it useing pop3 to pull down the emails.

It seems that the Virus detection is waiting to scan the body of the message and since there isn't anything there, it times out, causing the email server to start over in an endless loop.

Mdeamon Email Server with it's virus software works just fine on these spam emails without Untangle in front of it.