Title: Message
I'm using LOGLEVEL MID in my logfile so it must be this the cause of missing previous loglines.
 
I've logfiles back to 03/2004 and have made some sporadic checks. This few "could not find parse" was there for over 10 months now. Due to the missing previous loglines I can't say if this was casued by a scanner timeout or not. As already sayd the second scanner is detecting Zafi, Bagle, Netsky ... so nothing special and also nothing new that would cause an exit code 8 from f-prot due to missing updated signatures.
 
At least I can say that I haven't seen any case where the second scanner hasn't catched the virus
 
Another aspect: Why declude should try to parse report.txt if the engine hasn't reported a virus with the exit code?
Beside the problem that f-prot seems to use a lot of CPU I believe that it will not timeout but it will detect something but for whatever reason will not write the report.txt or a complete report.txt
 
I believe also that /(P|M)ANALYZE could be a good reason for increased CPU usage, even if I can't explain why it should happen only for a few messages each day.
 
Another idea: why not set up a declude virus configuration in a separate folder with or without the second scanner and test the hold message (by scanner2) again? It should be interesting if the same space gap can be reproduced or if we must search another reason for the sporadic appearance...
 
good night from GMT+1
Markus
 
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Thursday, April 28, 2005 8:52 PM
To: [email protected]
Subject: Re: [Declude.Virus] High CPU F-Prot

Markus and Andrew,

I think I have an idea as to possibly why.  I run Declude Virus at LOGLEVEL HIGH.  Maybe you guys are logging at a different level.  FYI, the HIGH level doesn't produce an inordinate amount of data by any means.

I went back to my oldest Virus log where I was also running Declude 1.82 and there are definitely a fair number of examples back then as well, though this isn't a huge number in comparison to the total number of viruses that are detected each day.  Here's one example of a 10 second gap from April 1st running Declude 1.82 and both F-Prot and McAfee, where McAfee tags the virus and F-Prot takes 10 seconds to error.
04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file: gsbfgwcjnx.bmp [base64; Length=1846 Checksum=281466]
04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file: Dog.zip [base64; Length=26047 Checksum=3314327]
04/01/2005 14:37:00 Qa2dce53900ee9f9d Found encrypted .ZIP file
04/01/2005 14:37:00 Qa2dce53900ee9f9d Banning .ZIP file with encrypted EXE extension.
--- 10 second gap while F-Prot scans ---
04/01/2005 14:37:10 Qa2dce53900ee9f9d Could not find parse string Infection:  in report.txt
04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=Dog.zip [0] O
04/01/2005 14:37:11 Qa2dce53900ee9f9d File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting file with virus
04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting E-mail with virus!
04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 28098]
04/01/2005 14:37:11 Qa2dce53900ee9f9d From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]
04/01/2005 14:37:11 Qa2dce53900ee9f9d Subject: Re:

Matt




Colbeck, Andrew wrote:
Matt, no there is no related Q line in my log files above that error.
 
And given the load on my server, there is no way to correlate a useful gap between my DECmmdd.log and VIRmmdd.log files; rather, I expect random gaps.
 
Also, I've noticed that F-Prot has definitely leaked viruses, because they're caught on my internal Exchange servers.  Whenever I notice this however, I've been able to attribute these to late pattern updates.
 
I don't think my server has problem that you have, but I've certainly looked.
 
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Thursday, April 28, 2005 10:58 AM
To: [email protected]
Subject: Re: [Declude.Virus] High CPU F-Prot

Andrew,

If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.

If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th.  Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.

F-Prot users should all probably pay very close attention to this.  I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else.  I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).

Matt



Colbeck, Andrew wrote:
The "could not parse" string occurs whenever F-Prot returns a result
that *isn't* equal to 3.  Only return code 3 provides a string in the
result file that says "Infection: " followed by the virus name.

I'd like to help you out with this Matt, but with only one antivirus
scanner, I don't see the evidence of a space gap.

Andrew 8)


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Sent: Thursday, April 28, 2005 10:29 AM
To: [email protected]
Subject: Re: [Declude.Virus] High CPU F-Prot


On 28 Apr 2005 at 12:57, Matt wrote:

Matt - 

If this becomes a real problem that you see and can monitor I would 
revert back to an older scan.exe to eliminate the issue of versions.

This is a possible clue:
  
" Could not find parse string Infection: in report.txt"
    
What does this mean?

Your virus.cfg needs a different setup parameter or report.txt cannot 
be found?

-Nick
  
    04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr
    [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04
    QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04
    QB18D740700A83968 Banning file with SCR extension
    [application/octet-stream]. --- 6 second gap where F-Prot scans
    message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find
    parse string Infection: in report.txt 04/28/2005 05:49:11
    QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
    Attachment=document.scr [0] O 04/28/2005 05:49:11
    QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
    04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus
    04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!
    04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS
    [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From:
    [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
    12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL
    TRANSACTION FAILED

    04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64;
    Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans
    message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find
    parse string Infection: in report.txt 04/28/2005 09:09:46
    QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
    Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s)
    are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46
    QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46
    QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46
    QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]
    04/28/2005 09:09:46 QE095EDCB006E8802 From: From:
    [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
    208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject:
    hello

    04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64;
    Length=56320 Checksum=6982245] 04/28/2005 09:47:55
    QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55
    QE98BF4DC00DA98FB Banning file with SCR extension
    [application/octet-stream]. --- 9 second gap where F-Prot scans
    message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find
    parse string Infection: in report.txt 04/28/2005 09:48:05
    QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED]
    Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB
    File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005
    09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005
    09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005
    09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2
    56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From:
    [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
    208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good
    day
I'm virtually certain that this is what was happening yesterday, but 
under heavier load, F-Prot was taking longer to scan the messages than
    

  
the 30 seconds that I allow it to. There are no other long delays like
    

  
this that I can find. F-Prot based on past testing should detect a 
typical virus in 100 ms on my system, but it is not only taking much 
more time to scan a very small file, it is also missing the virus.

I suspect that this is happening on other systems, but the timeout 
issue probably wasn't seen as often because I have my timeout set to 
30 seconds instead of 60 seconds, and I had very heavy load for much 
of the day yesterday. If others are running two virus scanners 
including F-Prot, it would help to confirm my findings by searching 
for a hit on the second virus scanner hitting, but F-Prot missing and 
also taking several seconds or more to return a result.

If you search your logs for "Could not find parse string Infection: in
    

  
report.txt", it might help to narrow down the results. I even tested 
with McAfee run first and then F-Prot and these messages would still 
appear when F-Prot didn't detect anything and McAfee did. Here's an 
example with McAfee run first, detected a virus, and then F- Prot took
    

  
it's time, generated a report.txt file but didn't return a virus 
result code:
    04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64;
    Length=56434 Checksum=6987682] 04/28/2005 01:37:51
    Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED]
    Attachment= [0] O --- 7 second gap while F-Prot scans ---
    04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse string
    Infection: in report.txt 04/28/2005 01:37:58 Q76AE2D3600E0E263
    File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 8] 04/28/2005 01:37:58
    Q76AE2D3600E0E263 Deleting file with virus 04/28/2005 01:37:58
    Q76AE2D3600E0E263 Deleting E-mail with virus! 04/28/2005 01:37:58
    Q76AE2D3600E0E263 Scanned: CONTAINS A VIRUS [MIME: 2 58564]
    04/28/2005 01:37:58 Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To:
    [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
    01:37:58 Q76AE2D3600E0E263 Subject: Good day
I'm guessing that F-Prot doesn't produce a Report.txt file unless 
something happens besides it being found clean, and this file is being
    

  
generated after a long delay and contains no identifiable infection 
string and the result code isn't 3,6 or 8, otherwise Declude would 
have considered it a virus. I'm guessing that the report.txt file 
contains a report of an error???

I'm also guessing that this might explain the high CPU usage that 
Darrell was reporting for F-Prot yesterday, though these events are 
not very common on my system, only about twice an hour it would seem.

Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
    


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.


  

-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================

-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================

Reply via email to