On 28 Apr 2005 at 16:44, Matt wrote: Hi Matt,
> I assume that this is probably resulting in an exit code of 9 or 10 > then because I'm not using either at the moment, and you are the first > that I definitively know has them configured. I do not use these codes either - I had 4 "Could not find parse string Infection" in my logs today. The average delay was 4 seconds. Is the answer to add the additl exit codes or is there a downside to that? -Nick > 9 - At least one object was not scanned (encrypted file, > unsupported/unknown compression method, unsupported/unknown file > format, corrupted or invalid file). > > 10 - At lest one archive object was not scanned (contains more > then N levels of nested archives, as specified with -archive > switch). > Since some of these are not zip files on my system, I am going to > assume that it is an exit code of 9 that is being spit out. A file > corruption might also explain the issues with F-Prot taking longer on > my system. > > Anyway, I just started to not delete viruses so I should catch one of > these soon and then I can work at processing it manually to see what I > find. > > Thanks for sharing. This was helpful. > > Matt > > > > Bill Landry wrote: > Matt, I searched 2 weeks of logs on both of my servers (both of > which run F-Prot and TrendMicro) and could only find 4 instances > of "Could not find parse string Infection", and they were found on > the server that is very heavily loaded. I use the following F-Prot > strings in my virus.cfg: > > # F-Prot > SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB > -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT - > REPORT=report.txt > VIRUSCODE1 3 > VIRUSCODE1 6 > VIRUSCODE1 8 > VIRUSCODE1 9 > VIRUSCODE1 10 > REPORT1 Infection: > > Here is a sample of what I find if I parse for 5 lines before and > after the target Q-ID: > > 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 > 36875] 04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: > [text/html][quoted- printable; Length=10177 Checksum=774898] > 04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 > 11904] 04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: > [text/html][quoted- printable; Length=11036 Checksum=792412] > 04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 > 14609] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: > [text/html][7bit; Length=52 Checksum=3520] 04/20/2005 11:53:29 > Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 > Checksum=2507990] 04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find > parse string Infection: in report.txt 04/20/2005 11:53:30 > Qa51fa9a300ec591e File(s) are INFECTED [: 0] 04/20/2005 11:53:30 > Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522] 04/20/2005 > 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [incoming from 165.165.221.208] 04/20/2005 > 11:53:30 Qa51fa9a300ec591e Subject: 04/20/2005 11:53:32 > Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087] 04/20/2005 > 11:53:34 Qa52b00004d30fdb9 Scanned: Virus Free [MIME: 1 672] > 04/20/2005 11:53:35 Qa52c00004f880105 Scanned: Virus Free [MIME: 1 > 752] 04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: > [text/html][8bit; Length=8334 Checksum=681405] 04/20/2005 11:53:37 > Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] > > I didn't find a time gap in any of the "Could not find parse string > Infection" log entries I found. > > Bill > ----- Original Message ----- > From: Matt > To: [email protected] > Sent: Thursday, April 28, 2005 10:58 AM > Subject: Re: [Declude.Virus] High CPU F-Prot > > Andrew, > > If you are only using F-Prot, you should be able to find evidence of > at least the delays by searching for "Could not find parse string > Infection" and then checking for a gap above that point to where the > message began to be scanned. > > If I'm correct about this, and it seems that I am, F-Prot has been > missing a fair number of viruses every day at least going back to > April 11th. Their new scan engine, 3.16b was released back on March > 7th and this may be related, but I don't have logs going back past > April to confirm. > > F-Prot users should all probably pay very close attention to this. I > haven't yet contacted F-Prot because I'm busy at this moment and this > was only just confirmed by someone else. I would have to say that > Scott would be quite useful in a situation like this because it > appeared that he had a line of contact with them (Scott, are you out > there?). > > Matt > > > > Colbeck, Andrew wrote: > The "could not parse" string occurs whenever F-Prot returns a > result that *isn't* equal to 3. Only return code 3 provides a > string in the result file that says "Infection: " followed by the > virus name. > > I'd like to help you out with this Matt, but with only one > antivirus scanner, I don't see the evidence of a space gap. > > Andrew 8) > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Nick > Sent: Thursday, April 28, 2005 10:29 AM > To: [email protected] > Subject: Re: [Declude.Virus] High CPU F-Prot > > > On 28 Apr 2005 at 12:57, Matt wrote: > > Matt - > > If this becomes a real problem that you see and can monitor I > would revert back to an older scan.exe to eliminate the issue of > versions. > > This is a possible clue: > > " Could not find parse string Infection: in report.txt" > > What does this mean? > > Your virus.cfg needs a different setup parameter or report.txt > cannot be found? > > -Nick > > 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr > [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 > QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 > 05:49:04 QB18D740700A83968 Banning file with SCR extension > [application/octet-stream]. --- 6 second gap where F-Prot > scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could > not find parse string Infection: in report.txt 04/28/2005 > 05:49:11 QB18D740700A83968 Scanner 2: Virus=the > W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 > 05:49:11 QB18D740700A83968 File(s) are INFECTED [the > W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 > Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 > Deleting E-mail with virus! 04/28/2005 05:49:11 > QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] > 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 > 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED > > 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip > [base64; Length=55408 Checksum=6875560] --- 4 second gap where > F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 > Could not find parse string Infection: in report.txt > 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the > W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 > QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: > 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with > virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail > with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: > CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 > QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 > 09:09:46 QE095EDCB006E8802 Subject: hello > > 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr > [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 > QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 > 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension > [application/octet-stream]. --- 9 second gap where F-Prot > scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could > not find parse string Infection: in report.txt 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the > W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 > QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: > 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with > virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail > with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: > CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 > QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Subject: Good day > I'm virtually certain that this is what was happening yesterday, > but under heavier load, F-Prot was taking longer to scan the > messages than > > > > the 30 seconds that I allow it to. There are no other long delays > like > > > > this that I can find. F-Prot based on past testing should detect a > typical virus in 100 ms on my system, but it is not only taking > much more time to scan a very small file, it is also missing the > virus. > > I suspect that this is happening on other systems, but the timeout > issue probably wasn't seen as often because I have my timeout set > to 30 seconds instead of 60 seconds, and I had very heavy load for > much of the day yesterday. If others are running two virus > scanners including F-Prot, it would help to confirm my findings by > searching for a hit on the second virus scanner hitting, but > F-Prot missing and also taking several seconds or more to return a > result. > > If you search your logs for "Could not find parse string > Infection: in > > > > report.txt", it might help to narrow down the results. I even > tested with McAfee run first and then F-Prot and these messages > would still appear when F-Prot didn't detect anything and McAfee > did. Here's an example with McAfee run first, detected a virus, > and then F- Prot took > > > > it's time, generated a report.txt file but didn't return a virus > result code: > 04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip > [base64; Length=56434 Checksum=6987682] 04/28/2005 01:37:51 > Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED] > Attachment= [0] O --- 7 second gap while F-Prot scans --- > 04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse > string Infection: in report.txt 04/28/2005 01:37:58 > Q76AE2D3600E0E263 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: > 8] 04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting file with > virus 04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting E-mail > with virus! 04/28/2005 01:37:58 Q76AE2D3600E0E263 Scanned: > CONTAINS A VIRUS [MIME: 2 58564] 04/28/2005 01:37:58 > Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 > 01:37:58 Q76AE2D3600E0E263 Subject: Good day > I'm guessing that F-Prot doesn't produce a Report.txt file unless > something happens besides it being found clean, and this file is > being > > > > generated after a long delay and contains no identifiable > infection string and the result code isn't 3,6 or 8, otherwise > Declude would have considered it a virus. I'm guessing that the > report.txt file contains a report of an error??? > > I'm also guessing that this might explain the high CPU usage that > Darrell was reporting for F-Prot yesterday, though these events > are not very common on my system, only about twice an hour it > would seem. > > Matt > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.Virus". The archives can be found at > http://www.mail-archive.com. --- This E-mail came from the > Declude.Virus mailing list. To unsubscribe, just send an E-mail > to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". > The archives can be found at http://www.mail-archive.com. > > > > > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== > > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
