Re: [Declude.Virus] High CPU F-Prot

Thu, 28 Apr 2005 13:41:49 -0700

Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded.  I use the following F-Prot strings in my virus.cfg:
 
# F-Prot
SCANFILE1       C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txt
VIRUSCODE1      3
VIRUSCODE1      6
VIRUSCODE1      8
VIRUSCODE1      9
VIRUSCODE1      10
REPORT1         Infection:
 
Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID:
 
04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875]
04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted-printable; Length=10177 Checksum=774898]
04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904]
04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted-printable; Length=11036 Checksum=792412]
04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609]
04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520]
04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990]
04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt
04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0]
04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522]
04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 165.165.221.208]
04/20/2005 11:53:30 Qa51fa9a300ec591e Subject:
04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087]
04/20/2005 11:53:34 Qa52b00004d30fdb9 Scanned: Virus Free [MIME: 1 672]
04/20/2005 11:53:35 Qa52c00004f880105 Scanned: Virus Free [MIME: 1 752]
04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit; Length=8334 Checksum=681405]
04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549]
 
I didn't find a time gap in any of the "Could not find parse string Infection" log entries I found.
 
Bill
----- Original Message -----
From: Matt
Sent: Thursday, April 28, 2005 10:58 AM
Subject: Re: [Declude.Virus] High CPU F-Prot

Andrew,

If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.

If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th.  Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.

F-Prot users should all probably pay very close attention to this.  I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else.  I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).

Matt



Colbeck, Andrew wrote: 
The "could not parse" string occurs whenever F-Prot returns a result
that *isn't* equal to 3.  Only return code 3 provides a string in the
result file that says "Infection: " followed by the virus name.

I'd like to help you out with this Matt, but with only one antivirus
scanner, I don't see the evidence of a space gap.

Andrew 8)


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Sent: Thursday, April 28, 2005 10:29 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot


On 28 Apr 2005 at 12:57, Matt wrote:

Matt - 

If this becomes a real problem that you see and can monitor I would 
revert back to an older scan.exe to eliminate the issue of versions.

This is a possible clue:
  
" Could not find parse string Infection: in report.txt"
    
What does this mean?

Your virus.cfg needs a different setup parameter or report.txt cannot 
be found?

-Nick
  
    04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr
    [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04
    QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04
    QB18D740700A83968 Banning file with SCR extension
    [application/octet-stream]. --- 6 second gap where F-Prot scans
    message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find
    parse string Infection: in report.txt 04/28/2005 05:49:11
    QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
    Attachment=document.scr [0] O 04/28/2005 05:49:11
    QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
    04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus
    04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!
    04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS
    [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From:
    [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
    12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL
    TRANSACTION FAILED

    04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64;
    Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans
    message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find
    parse string Infection: in report.txt 04/28/2005 09:09:46
    QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
    Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s)
    are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46
    QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46
    QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46
    QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]
    04/28/2005 09:09:46 QE095EDCB006E8802 From: From:
    [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
    208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject:
    hello

    04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64;
    Length=56320 Checksum=6982245] 04/28/2005 09:47:55
    QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55
    QE98BF4DC00DA98FB Banning file with SCR extension
    [application/octet-stream]. --- 9 second gap where F-Prot scans
    message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find
    parse string Infection: in report.txt 04/28/2005 09:48:05
    QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED]
    Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB
    File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005
    09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005
    09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005
    09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2
    56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From:
    [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
    208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good
    day
I'm virtually certain that this is what was happening yesterday, but 
under heavier load, F-Prot was taking longer to scan the messages than
    

  
the 30 seconds that I allow it to. There are no other long delays like
    

  
this that I can find. F-Prot based on past testing should detect a 
typical virus in 100 ms on my system, but it is not only taking much 
more time to scan a very small file, it is also missing the virus.

I suspect that this is happening on other systems, but the timeout 
issue probably wasn't seen as often because I have my timeout set to 
30 seconds instead of 60 seconds, and I had very heavy load for much 
of the day yesterday. If others are running two virus scanners 
including F-Prot, it would help to confirm my findings by searching 
for a hit on the second virus scanner hitting, but F-Prot missing and 
also taking several seconds or more to return a result.

If you search your logs for "Could not find parse string Infection: in
    

  
report.txt", it might help to narrow down the results. I even tested 
with McAfee run first and then F-Prot and these messages would still 
appear when F-Prot didn't detect anything and McAfee did. Here's an 
example with McAfee run first, detected a virus, and then F- Prot took
    

  
it's time, generated a report.txt file but didn't return a virus 
result code:
    04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64;
    Length=56434 Checksum=6987682] 04/28/2005 01:37:51
    Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED]
    Attachment= [0] O --- 7 second gap while F-Prot scans ---
    04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse string
    Infection: in report.txt 04/28/2005 01:37:58 Q76AE2D3600E0E263
    File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 8] 04/28/2005 01:37:58
    Q76AE2D3600E0E263 Deleting file with virus 04/28/2005 01:37:58
    Q76AE2D3600E0E263 Deleting E-mail with virus! 04/28/2005 01:37:58
    Q76AE2D3600E0E263 Scanned: CONTAINS A VIRUS [MIME: 2 58564]
    04/28/2005 01:37:58 Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To:
    [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
    01:37:58 Q76AE2D3600E0E263 Subject: Good day
I'm guessing that F-Prot doesn't produce a Report.txt file unless 
something happens besides it being found clean, and this file is being
    

  
generated after a long delay and contains no identifiable infection 
string and the result code isn't 3,6 or 8, otherwise Declude would 
have considered it a virus. I'm guessing that the report.txt file 
contains a report of an error???

I'm also guessing that this might explain the high CPU usage that 
Darrell was reporting for F-Prot yesterday, though these events are 
not very common on my system, only about twice an hour it would seem.

Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
    


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.


  

-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================

Reply via email to