|
I'm using LOGLEVEL MID in my logfile so it must be this the
cause of missing previous loglines.
I've logfiles back to 03/2004 and have made some sporadic
checks. This few "could not find parse" was there for over 10 months now. Due to
the missing previous loglines I can't say if this was casued by a scanner
timeout or not. As already sayd the second scanner is detecting Zafi, Bagle,
Netsky ... so nothing special and also nothing new that would cause an exit code
8 from f-prot due to missing updated signatures.
At least I can say that I haven't seen any case where the
second scanner hasn't catched the virus
Another aspect: Why declude should try to parse report.txt
if the engine hasn't reported a virus with the exit code?
Beside the problem that f-prot seems to use a lot of
CPU I believe that it will not timeout but it will detect something but for
whatever reason will not write the report.txt or a complete
report.txt
I believe also that /(P|M)ANALYZE could be a good reason
for increased CPU usage, even if I can't explain why it should happen only for a
few messages each day.
Another idea: why not set up a declude virus configuration
in a separate folder with or without the second scanner and test the hold
message (by scanner2) again? It should be interesting if the same space gap can
be reproduced or if we must search another reason for the sporadic
appearance...
good night from GMT+1
Markus
Markus and Andrew,
I think I have an idea as to possibly
why. I run Declude Virus at LOGLEVEL HIGH. Maybe you guys are
logging at a different level. FYI, the HIGH level doesn't produce an
inordinate amount of data by any means.
I went back to my oldest Virus
log where I was also running Declude 1.82 and there are definitely a fair
number of examples back then as well, though this isn't a huge number in
comparison to the total number of viruses that are detected each day.
Here's one example of a 10 second gap from April 1st running Declude 1.82 and
both F-Prot and McAfee, where McAfee tags the virus and F-Prot takes 10
seconds to error.
04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file:
gsbfgwcjnx.bmp [base64; Length=1846 Checksum=281466]
04/01/2005 14:37:00
Qa2dce53900ee9f9d MIME file: Dog.zip [base64; Length=26047
Checksum=3314327]
04/01/2005 14:37:00 Qa2dce53900ee9f9d Found encrypted
.ZIP file
04/01/2005 14:37:00 Qa2dce53900ee9f9d Banning .ZIP file with
encrypted EXE extension.
--- 10 second gap while F-Prot scans
---
04/01/2005 14:37:10 Qa2dce53900ee9f9d Could not find parse string
Infection: in report.txt
04/01/2005 14:37:11 Qa2dce53900ee9f9d
Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=Dog.zip [0]
O
04/01/2005 14:37:11 Qa2dce53900ee9f9d File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting
file with virus
04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting E-mail
with virus!
04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanned: CONTAINS A
VIRUS [Prescan OK][MIME: 3 28098]
04/01/2005 14:37:11 Qa2dce53900ee9f9d
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
208.7.179.200]
04/01/2005 14:37:11 Qa2dce53900ee9f9d Subject:
Re:
Matt
Colbeck, Andrew wrote:
Matt, no there is no related Q line in my log files above that
error.
And given the load on my server, there is no way to correlate a
useful gap between my DECmmdd.log and VIRmmdd.log files; rather, I expect
random gaps.
Also, I've noticed that F-Prot has definitely leaked viruses, because
they're caught on my internal Exchange servers. Whenever I notice this
however, I've been able to attribute these to late pattern
updates.
I
don't think my server has problem that you have, but I've certainly
looked.
Andrew 8)
Andrew,
If
you are only using F-Prot, you should be able to find evidence of at least
the delays by searching for "Could not find parse string Infection" and
then checking for a gap above that point to where the message began to be
scanned.
If I'm correct about this, and it seems that I am, F-Prot
has been missing a fair number of viruses every day at least going back to
April 11th. Their new scan engine, 3.16b was released back on March
7th and this may be related, but I don't have logs going back past April
to confirm.
F-Prot users should all probably pay very close
attention to this. I haven't yet contacted F-Prot because I'm busy
at this moment and this was only just confirmed by someone else. I
would have to say that Scott would be quite useful in a situation like
this because it appeared that he had a line of contact with them (Scott,
are you out there?).
Matt
Colbeck, Andrew wrote:
The "could not parse" string occurs whenever F-Prot returns a result
that *isn't* equal to 3. Only return code 3 provides a string in the
result file that says "Infection: " followed by the virus name.
I'd like to help you out with this Matt, but with only one antivirus
scanner, I don't see the evidence of a space gap.
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Sent: Thursday, April 28, 2005 10:29 AM
To: [email protected]
Subject: Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 12:57, Matt wrote:
Matt -
If this becomes a real problem that you see and can monitor I would
revert back to an older scan.exe to eliminate the issue of versions.
This is a possible clue:
" Could not find parse string Infection: in report.txt"
What does this mean?
Your virus.cfg needs a different setup parameter or report.txt cannot
be found?
-Nick
04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr
[base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04
QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04
QB18D740700A83968 Banning file with SCR extension
[application/octet-stream]. --- 6 second gap where F-Prot scans
message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find
parse string Infection: in report.txt 04/28/2005 05:49:11
QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment=document.scr [0] O 04/28/2005 05:49:11
QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus
04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!
04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS
[MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL
TRANSACTION FAILED
04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64;
Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans
message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find
parse string Infection: in report.txt 04/28/2005 09:09:46
QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s)
are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46
QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46
QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46
QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]
04/28/2005 09:09:46 QE095EDCB006E8802 From: From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject:
hello
04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64;
Length=56320 Checksum=6982245] 04/28/2005 09:47:55
QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55
QE98BF4DC00DA98FB Banning file with SCR extension
[application/octet-stream]. --- 9 second gap where F-Prot scans
message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find
parse string Infection: in report.txt 04/28/2005 09:48:05
QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB
File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005
09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005
09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005
09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2
56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good
day
I'm virtually certain that this is what was happening yesterday, but
under heavier load, F-Prot was taking longer to scan the messages than
the 30 seconds that I allow it to. There are no other long delays like
this that I can find. F-Prot based on past testing should detect a
typical virus in 100 ms on my system, but it is not only taking much
more time to scan a very small file, it is also missing the virus.
I suspect that this is happening on other systems, but the timeout
issue probably wasn't seen as often because I have my timeout set to
30 seconds instead of 60 seconds, and I had very heavy load for much
of the day yesterday. If others are running two virus scanners
including F-Prot, it would help to confirm my findings by searching
for a hit on the second virus scanner hitting, but F-Prot missing and
also taking several seconds or more to return a result.
If you search your logs for "Could not find parse string Infection: in
report.txt", it might help to narrow down the results. I even tested
with McAfee run first and then F-Prot and these messages would still
appear when F-Prot didn't detect anything and McAfee did. Here's an
example with McAfee run first, detected a virus, and then F- Prot took
it's time, generated a report.txt file but didn't return a virus
result code:
04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64;
Length=56434 Checksum=6987682] 04/28/2005 01:37:51
Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED]
Attachment= [0] O --- 7 second gap while F-Prot scans ---
04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse string
Infection: in report.txt 04/28/2005 01:37:58 Q76AE2D3600E0E263
File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 8] 04/28/2005 01:37:58
Q76AE2D3600E0E263 Deleting file with virus 04/28/2005 01:37:58
Q76AE2D3600E0E263 Deleting E-mail with virus! 04/28/2005 01:37:58
Q76AE2D3600E0E263 Scanned: CONTAINS A VIRUS [MIME: 2 58564]
04/28/2005 01:37:58 Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
01:37:58 Q76AE2D3600E0E263 Subject: Good day
I'm guessing that F-Prot doesn't produce a Report.txt file unless
something happens besides it being found clean, and this file is being
generated after a long delay and contains no identifiable infection
string and the result code isn't 3,6 or 8, otherwise Declude would
have considered it a virus. I'm guessing that the report.txt file
contains a report of an error???
I'm also guessing that this might explain the high CPU usage that
Darrell was reporting for F-Prot yesterday, though these events are
not very common on my system, only about twice an hour it would seem.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
