|
Matt,
how do you search for this F-Prot space
gaps?
As I can see from your log snippets there is each time a
"could not find parse string" after the space gap
Searching my logfile for this phrase I can find around 10
of them, but always as the first log entry of a processed message. So I can't
determine if there is a space gap or not. Each of this log lines is for F_prot
while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in
this case)
I've still in use F-prot 3.15 not 3.16
Markus
After further review, I'm pretty sure that there is an F-Prot issue
going on here.
My server hasn't been hitting 100% yet today, and I also
haven't seen any F-Prot timeouts, however I have found more compelling
evidence that there is an issue with F-Prot that would probably lead to
timeouts if the load was heavy while some messages were scanned. I
searched my logs today for examples of where McAfee found Mytob, but F-Prot
didn't detect anything. There were a fair number of examples, and in
every one, F-Prot took an uncharacteristically long time to scan the
file. Here are three examples that are marked with the gap corresponding
to the F-Prot delays:
04/28/2005 05:49:04 QB18D740700A83968 MIME file:
document.scr [base64; Length=52224 Checksum=6533396]
04/28/2005 05:49:04
QB18D740700A83968 Invalid SCR Vulnerability
04/28/2005 05:49:04
QB18D740700A83968 Banning file with SCR extension
[application/octet-stream].
--- 6 second gap where F-Prot scans
message ---
04/28/2005 05:49:10 QB18D740700A83968 Could not find
parse string Infection: in report.txt
04/28/2005 05:49:11
QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment=document.scr [0] O
04/28/2005 05:49:11 QB18D740700A83968
File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
04/28/2005 05:49:11
QB18D740700A83968 Deleting file with virus
04/28/2005 05:49:11
QB18D740700A83968 Deleting E-mail with virus!
04/28/2005 05:49:11
QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788]
04/28/2005
05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
12.152.254.47]
04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL
TRANSACTION FAILED
04/28/2005 09:09:41 QE095EDCB006E8802 MIME file:
doc.zip [base64; Length=55408 Checksum=6875560]
--- 4 second gap where
F-Prot scans message ---
04/28/2005 09:09:45 QE095EDCB006E8802 Could
not find parse string Infection: in report.txt
04/28/2005 09:09:46
QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0]
O
04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file
with virus
04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with
virus!
04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS
[MIME: 2 55605]
04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
208.7.179.200]
04/28/2005 09:09:46 QE095EDCB006E8802 Subject:
hello
04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr
[base64; Length=56320 Checksum=6982245]
04/28/2005 09:47:55
QE98BF4DC00DA98FB Invalid SCR Vulnerability
04/28/2005 09:47:55
QE98BF4DC00DA98FB Banning file with SCR extension
[application/octet-stream].
--- 9 second gap where F-Prot scans
message ---
04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find
parse string Infection: in report.txt
04/28/2005 09:48:05
QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr
[0] O
04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file
with virus
04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with
virus!
04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS
[MIME: 2 56551]
04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
208.7.179.200]
04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good
day
I'm virtually certain that this is what was
happening yesterday, but under heavier load, F-Prot was taking longer to scan
the messages than the 30 seconds that I allow it to. There are no other
long delays like this that I can find. F-Prot based on past testing
should detect a typical virus in 100 ms on my system, but it is not only
taking much more time to scan a very small file, it is also missing the
virus.
I suspect that this is happening on other systems, but the
timeout issue probably wasn't seen as often because I have my timeout set to
30 seconds instead of 60 seconds, and I had very heavy load for much of the
day yesterday. If others are running two virus scanners including
F-Prot, it would help to confirm my findings by searching for a hit on the
second virus scanner hitting, but F-Prot missing and also taking several
seconds or more to return a result.
If you search your logs for "Could
not find parse string Infection: in report.txt", it might help to narrow
down the results. I even tested with McAfee run first and then F-Prot
and these messages would still appear when F-Prot didn't detect anything and
McAfee did. Here's an example with McAfee run first, detected a virus,
and then F-Prot took it's time, generated a report.txt file but didn't return
a virus result code:
04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip
[base64; Length=56434 Checksum=6987682]
04/28/2005 01:37:51
Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED] Attachment= [0]
O
--- 7 second gap while F-Prot scans ---
04/28/2005 01:37:58
Q76AE2D3600E0E263 Could not find parse string Infection: in
report.txt
04/28/2005 01:37:58 Q76AE2D3600E0E263 File(s) are INFECTED
[the W32/[EMAIL PROTECTED]: 8]
04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting
file with virus
04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting E-mail
with virus!
04/28/2005 01:37:58 Q76AE2D3600E0E263 Scanned: CONTAINS A
VIRUS [MIME: 2 58564]
04/28/2005 01:37:58 Q76AE2D3600E0E263 From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/28/2005 01:37:58 Q76AE2D3600E0E263
Subject: Good day
I'm guessing that F-Prot doesn't
produce a Report.txt file unless something happens besides it being found
clean, and this file is being generated after a long delay and contains no
identifiable infection string and the result code isn't 3,6 or 8, otherwise
Declude would have considered it a virus. I'm guessing that the
report.txt file contains a report of an error???
I'm also guessing that
this might explain the high CPU usage that Darrell was reporting for F-Prot
yesterday, though these events are not very common on my system, only about
twice an hour it would seem.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
