RE: [Declude.Virus] High CPU F-Prot

[Markus Gufler]

no absolutely no trace of the spool filename before the "parse string" line. I've checked now multiple cases in todays logfile   Note: F-prot is my first, Mcafee my second scanner. F-Prot 3.15 not 3.16 I've PRESCAN ON in my virus.cfg line   bye Markus (have to leave the office now)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 28, 2005 7:48 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot Markus, It's there (or should be).  Search for "Q7be703950112a342" appearing before this block and you should find at least one line corresponding to the message. BTW, I just looked at an old log file from April 11th using Declude 1.82, and F-Prot was experiencing the same sorts of delays with the same characteristics.  Seems like a pretty serious and longer-term issue with F-Prot. Matt Markus Gufler wrote: No I've checked this already before: there is no appearance of the spool file name above this line. All I can see is something like   04/28/2005 08:00:13 Q7be703950112a342 Could not find parse string Infection:  in report.txt 04/28/2005 08:00:13 Q7be703950112a342 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=Cat.zip [40] I 04/28/2005 08:00:13 Q7be703950112a342 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 13] 04/28/2005 08:00:13 Q7be703950112a342 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 25955] 04/28/2005 08:00:13 Q7be703950112a342 From: [Forged] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 04/28/2005 08:00:13 Q7be703950112a342 Subject: Re: Markus   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, April 28, 2005 7:28 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot Markus, Take the spool file name corresponding to the "could not find parse string" and look above it for the beginning of the log entries for that file.  You might think that this is the first entry for that message, but it appears that there is a gap in time and you aren't finding the first entries.  Your entries should look the same or similar to mine.  The first entry for each such message that passes PRESCAN will start with the "MIME file" line.  It seems likely that you are experiencing the same thing. Matt Markus Gufler wrote: Matt, how do you search for this F-Prot space gaps?   As I can see from your log snippets there is each time a "could not find parse string" after the space gap   Searching my logfile for this phrase I can find around 10 of them, but always as the first log entry of a processed message. So I can't determine if there is a space gap or not. Each of this log lines is for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in this case)   I've still in use F-prot 3.15 not 3.16   Markus     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, April 28, 2005 6:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot After further review, I'm pretty sure that there is an F-Prot issue going on here. My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned.  I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything.  There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file.  Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection:  in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection:  in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. --- 9 second gap where F-Prot scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection:  in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to.  There are no other long delays like this that I can find.  F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often because I have my timeout set to 30 seconds instead of 60 seconds, and I had very heavy load for much of the day yesterday.  If others are running two virus scanners including F-Prot, it would help to confirm my findings by searching for a hit on the second virus scanner hitting, but F-Prot missing and also taking several seconds or more to return a result. If you search your logs for "Could not find parse string Infection:  in report.txt", it might help to narrow down the results.  I even tested with McAfee run first and then F-Prot and these messages would still appear when F-Prot didn't detect anything and McAfee did.  Here's an example with McAfee run first, detected a virus, and then F-Prot took it's time, generated a report.txt file but didn't return a virus result code: 04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64; Length=56434 Checksum=6987682] 04/28/2005 01:37:51 Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O --- 7 second gap while F-Prot scans --- 04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse string Infection:  in report.txt 04/28/2005 01:37:58 Q76AE2D3600E0E263 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 8] 04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting file with virus 04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting E-mail with virus! 04/28/2005 01:37:58 Q76AE2D3600E0E263 Scanned: CONTAINS A VIRUS [MIME: 2 58564] 04/28/2005 01:37:58 Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 01:37:58 Q76AE2D3600E0E263 Subject: Good day I'm guessing that F-Prot doesn't produce a Report.txt file unless something happens besides it being found clean, and this file is being generated after a long delay and contains no identifiable infection string and the result code isn't 3,6 or 8, otherwise Declude would have considered it a virus.  I'm guessing that the report.txt file contains a report of an error??? I'm also guessing that this might explain the high CPU usage that Darrell was reporting for F-Prot yesterday, though these events are not very common on my system, only about twice an hour it would seem. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================