On 28 Apr 2005 at 12:57, Matt wrote: Matt -
If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: > " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick > 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr > [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 > QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 > QB18D740700A83968 Banning file with SCR extension > [application/octet-stream]. --- 6 second gap where F-Prot scans > message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find > parse string Infection: in report.txt 04/28/2005 05:49:11 > QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment=document.scr [0] O 04/28/2005 05:49:11 > QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] > 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus > 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! > 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS > [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL > TRANSACTION FAILED > > 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; > Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans > message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find > parse string Infection: in report.txt 04/28/2005 09:09:46 > QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) > are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 > QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 > QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 > QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] > 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: > hello > > 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; > Length=56320 Checksum=6982245] 04/28/2005 09:47:55 > QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 > QE98BF4DC00DA98FB Banning file with SCR extension > [application/octet-stream]. --- 9 second gap where F-Prot scans > message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find > parse string Infection: in report.txt 04/28/2005 09:48:05 > QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB > File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 > 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good > day > I'm virtually certain that this is what was happening yesterday, but > under heavier load, F-Prot was taking longer to scan the messages than > the 30 seconds that I allow it to. There are no other long delays like > this that I can find. F-Prot based on past testing should detect a > typical virus in 100 ms on my system, but it is not only taking much > more time to scan a very small file, it is also missing the virus. > > I suspect that this is happening on other systems, but the timeout > issue probably wasn't seen as often because I have my timeout set to > 30 seconds instead of 60 seconds, and I had very heavy load for much > of the day yesterday. If others are running two virus scanners > including F-Prot, it would help to confirm my findings by searching > for a hit on the second virus scanner hitting, but F-Prot missing and > also taking several seconds or more to return a result. > > If you search your logs for "Could not find parse string Infection: in > report.txt", it might help to narrow down the results. I even tested > with McAfee run first and then F-Prot and these messages would still > appear when F-Prot didn't detect anything and McAfee did. Here's an > example with McAfee run first, detected a virus, and then F- Prot took > it's time, generated a report.txt file but didn't return a virus > result code: > 04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64; > Length=56434 Checksum=6987682] 04/28/2005 01:37:51 > Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED] > Attachment= [0] O --- 7 second gap while F-Prot scans --- > 04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse string > Infection: in report.txt 04/28/2005 01:37:58 Q76AE2D3600E0E263 > File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 8] 04/28/2005 01:37:58 > Q76AE2D3600E0E263 Deleting file with virus 04/28/2005 01:37:58 > Q76AE2D3600E0E263 Deleting E-mail with virus! 04/28/2005 01:37:58 > Q76AE2D3600E0E263 Scanned: CONTAINS A VIRUS [MIME: 2 58564] > 04/28/2005 01:37:58 Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 > 01:37:58 Q76AE2D3600E0E263 Subject: Good day > I'm guessing that F-Prot doesn't produce a Report.txt file unless > something happens besides it being found clean, and this file is being > generated after a long delay and contains no identifiable infection > string and the result code isn't 3,6 or 8, otherwise Declude would > have considered it a virus. I'm guessing that the report.txt file > contains a report of an error??? > > I'm also guessing that this might explain the high CPU usage that > Darrell was reporting for F-Prot yesterday, though these events are > not very common on my system, only about twice an hour it would seem. > > Matt > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
