|
After further review, I'm pretty sure that there is an F-Prot issue
going on here. My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396]I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often because I have my timeout set to 30 seconds instead of 60 seconds, and I had very heavy load for much of the day yesterday. If others are running two virus scanners including F-Prot, it would help to confirm my findings by searching for a hit on the second virus scanner hitting, but F-Prot missing and also taking several seconds or more to return a result. If you search your logs for "Could not find parse string Infection: in report.txt", it might help to narrow down the results. I even tested with McAfee run first and then F-Prot and these messages would still appear when F-Prot didn't detect anything and McAfee did. Here's an example with McAfee run first, detected a virus, and then F-Prot took it's time, generated a report.txt file but didn't return a virus result code: 04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64; Length=56434 Checksum=6987682]I'm guessing that F-Prot doesn't produce a Report.txt file unless something happens besides it being found clean, and this file is being generated after a long delay and contains no identifiable infection string and the result code isn't 3,6 or 8, otherwise Declude would have considered it a virus. I'm guessing that the report.txt file contains a report of an error??? I'm also guessing that this might explain the high CPU usage that Darrell was reporting for F-Prot yesterday, though these events are not very common on my system, only about twice an hour it would seem. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
- RE: [Declude.Virus] High CPU F-Prot Colbeck, Andrew
- RE: [Declude.Virus] High CPU F-Prot Colbeck, Andrew
- Re: [Declude.Virus] High CPU F-Prot Matt
- RE: [Declude.Virus] High CPU F-P... Matt
- RE: [Declude.Virus] High CPU... Markus Gufler
- Re: [Declude.Virus] Hig... Matt
- RE: [Declude.Virus]... Markus Gufler
- Re: [Declude.Vi... Matt
- RE: [Declude.Vi... Markus Gufler
- Re: [Declude.Virus] High CPU... Nick
- Re: [Declude.Virus] Hig... Matt
- Re: [Declude.Virus]... Nick
- Re: [Declude.Vi... Matt
- Re: [Declude.Virus] High CPU... Darrell \([EMAIL PROTECTED])
