|
No I've checked this already before: there is no appearance
of the spool file name above this line. All I can see is something
like
04/28/2005 08:00:13 Q7be703950112a342 Could not find parse
string Infection: in report.txt
04/28/2005 08:00:13 Q7be703950112a342
Scanner 2: Virus=W32/[EMAIL PROTECTED]
Attachment=Cat.zip [40] I
04/28/2005 08:00:13 Q7be703950112a342 File(s) are
INFECTED [W32/[EMAIL PROTECTED]: 13]
04/28/2005 08:00:13 Q7be703950112a342
Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 25955]
04/28/2005 08:00:13
Q7be703950112a342 From: [Forged] To: [EMAIL PROTECTED] [incoming from
x.x.x.x]
04/28/2005 08:00:13 Q7be703950112a342 Subject:
Re:
Markus
Markus,
Take the spool file name corresponding to the "could
not find parse string" and look above it for the beginning of the log entries
for that file. You might think that this is the first entry for that
message, but it appears that there is a gap in time and you aren't finding the
first entries. Your entries should look the same or similar to
mine. The first entry for each such message that passes PRESCAN will
start with the "MIME file" line. It seems likely that you are
experiencing the same thing.
Matt
Markus Gufler wrote:
Matt,
how do you search for this F-Prot space
gaps?
As I can see from your log snippets there is each time
a "could not find parse string" after the space gap
Searching my logfile for this phrase I can find around
10 of them, but always as the first log entry of a processed message. So I
can't determine if there is a space gap or not. Each of this log lines is
for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ...
but no Mytob in this case)
I've still in use F-prot 3.15 not
3.16
Markus
After further
review, I'm pretty sure that there is an F-Prot issue going on
here.
My server hasn't been hitting 100% yet today, and I also
haven't seen any F-Prot timeouts, however I have found more compelling
evidence that there is an issue with F-Prot that would probably lead to
timeouts if the load was heavy while some messages were scanned. I
searched my logs today for examples of where McAfee found Mytob, but
F-Prot didn't detect anything. There were a fair number of examples,
and in every one, F-Prot took an uncharacteristically long time to scan
the file. Here are three examples that are marked with the gap
corresponding to the F-Prot delays:
04/28/2005 05:49:04 QB18D740700A83968 MIME file:
document.scr [base64; Length=52224 Checksum=6533396]
04/28/2005
05:49:04 QB18D740700A83968 Invalid SCR Vulnerability
04/28/2005
05:49:04 QB18D740700A83968 Banning file with SCR extension
[application/octet-stream].
--- 6 second gap where F-Prot scans
message ---
04/28/2005 05:49:10 QB18D740700A83968 Could not find
parse string Infection: in report.txt
04/28/2005 05:49:11
QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment=document.scr [0] O
04/28/2005 05:49:11 QB18D740700A83968
File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
04/28/2005 05:49:11
QB18D740700A83968 Deleting file with virus
04/28/2005 05:49:11
QB18D740700A83968 Deleting E-mail with virus!
04/28/2005 05:49:11
QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2
54788]
04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
12.152.254.47]
04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL
TRANSACTION FAILED
04/28/2005 09:09:41 QE095EDCB006E8802 MIME
file: doc.zip [base64; Length=55408 Checksum=6875560]
--- 4 second
gap where F-Prot scans message ---
04/28/2005 09:09:45
QE095EDCB006E8802 Could not find parse string Infection: in
report.txt
04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/28/2005 09:09:46
QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]:
13]
04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with
virus
04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with
virus!
04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A
VIRUS [MIME: 2 55605]
04/28/2005 09:09:46 QE095EDCB006E8802 From:
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
208.7.179.200]
04/28/2005 09:09:46 QE095EDCB006E8802 Subject:
hello
04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr
[base64; Length=56320 Checksum=6982245]
04/28/2005 09:47:55
QE98BF4DC00DA98FB Invalid SCR Vulnerability
04/28/2005 09:47:55
QE98BF4DC00DA98FB Banning file with SCR extension
[application/octet-stream].
--- 9 second gap where F-Prot scans
message ---
04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find
parse string Infection: in report.txt
04/28/2005 09:48:05
QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment=data.scr [0] O
04/28/2005 09:48:05 QE98BF4DC00DA98FB
File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
04/28/2005 09:48:05
QE98BF4DC00DA98FB Deleting file with virus
04/28/2005 09:48:05
QE98BF4DC00DA98FB Deleting E-mail with virus!
04/28/2005 09:48:05
QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2
56551]
04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
208.7.179.200]
04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good
day
I'm virtually certain that this is what was
happening yesterday, but under heavier load, F-Prot was taking longer to
scan the messages than the 30 seconds that I allow it to. There are
no other long delays like this that I can find. F-Prot based on past
testing should detect a typical virus in 100 ms on my system, but it is
not only taking much more time to scan a very small file, it is also
missing the virus.
I suspect that this is happening on other
systems, but the timeout issue probably wasn't seen as often because I
have my timeout set to 30 seconds instead of 60 seconds, and I had very
heavy load for much of the day yesterday. If others are running two
virus scanners including F-Prot, it would help to confirm my findings by
searching for a hit on the second virus scanner hitting, but F-Prot
missing and also taking several seconds or more to return a
result.
If you search your logs for "Could not find parse string
Infection: in report.txt", it might help to narrow down the
results. I even tested with McAfee run first and then F-Prot and
these messages would still appear when F-Prot didn't detect anything and
McAfee did. Here's an example with McAfee run first, detected a
virus, and then F-Prot took it's time, generated a report.txt file but
didn't return a virus result code:
04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file:
text.zip [base64; Length=56434 Checksum=6987682]
04/28/2005 01:37:51
Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED] Attachment= [0]
O
--- 7 second gap while F-Prot scans ---
04/28/2005
01:37:58 Q76AE2D3600E0E263 Could not find parse string Infection:
in report.txt
04/28/2005 01:37:58 Q76AE2D3600E0E263 File(s) are
INFECTED [the W32/[EMAIL PROTECTED]: 8]
04/28/2005 01:37:58
Q76AE2D3600E0E263 Deleting file with virus
04/28/2005 01:37:58
Q76AE2D3600E0E263 Deleting E-mail with virus!
04/28/2005 01:37:58
Q76AE2D3600E0E263 Scanned: CONTAINS A VIRUS [MIME: 2
58564]
04/28/2005 01:37:58 Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/28/2005 01:37:58 Q76AE2D3600E0E263
Subject: Good day
I'm guessing that F-Prot doesn't
produce a Report.txt file unless something happens besides it being found
clean, and this file is being generated after a long delay and contains no
identifiable infection string and the result code isn't 3,6 or 8,
otherwise Declude would have considered it a virus. I'm guessing
that the report.txt file contains a report of an error???
I'm also
guessing that this might explain the high CPU usage that Darrell was
reporting for F-Prot yesterday, though these events are not very common on
my system, only about twice an hour it would seem.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
