You should be fine with a second scanner. That's why we use them
anyway. McAfee has caught every one of these that I have seen, and
I've looked at about 40 examples so far. Many would fail banned
extensions otherwise anyway.
While you apparently could add another virus code to Declude for these
situations (not yet verified), I'm worried that this is more of a
general error and it could cause false positives. A corrupted file
isn't what I would consider to be uncommon in legit E-mail, although
the primary issue is that we only have once sentence with which to
evaluate this exit code from F-Prot.
Most Declude users that use only F-Prot are probably experiencing
significant leakage of otherwise detectable viruses, and are also
probably creating extra backscatter for banned extensions where no
virus was detected.
Besides that there's the fact that F-Prot is taking so long. It
appears to also coincide with increased CPU utilization which might
explain Darrell's experience, and in a different respect, mine
yesterday with all of the F-Prot timeouts. This has been going on for
at least a month. I assume that the increased time corresponds to not
only keeping more Declude processes open, but also increased CPU
utilization. Such a condition is ripe for exploiting, and I'm
concerned that it has existed for so long without resolution, and maybe
even detection...
Matt
Nick wrote:
On 28 Apr 2005 at 16:44, Matt wrote:
Hi Matt,
I assume that this is probably resulting in an exit code of 9 or 10
then because I'm not using either at the moment, and you are the first
that I definitively know has them configured.
I do not use these codes either - I had 4 "Could not find parse
string Infection" in my logs today. The average delay was 4 seconds.
Is the answer to add the additl exit codes or is there a downside to
that?
-Nick
9 - At least one object was not scanned (encrypted file,
unsupported/unknown compression method, unsupported/unknown file
format, corrupted or invalid file).
10 - At lest one archive object was not scanned (contains more
then N levels of nested archives, as specified with -archive
switch).
Since some of these are not zip files on my system, I am going to
assume that it is an exit code of 9 that is being spit out. A file
corruption might also explain the issues with F-Prot taking longer on
my system.
Anyway, I just started to not delete viruses so I should catch one of
these soon and then I can work at processing it manually to see what I
find.
Thanks for sharing. This was helpful.
Matt
Bill Landry wrote:
Matt, I searched 2 weeks of logs on both of my servers (both of
which run F-Prot and TrendMicro) and could only find 4 instances
of "Could not find parse string Infection", and they were found on
the server that is very heavily loaded. I use the following F-Prot
strings in my virus.cfg:
# F-Prot
SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB
-NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -
REPORT=report.txt
VIRUSCODE1 3
VIRUSCODE1 6
VIRUSCODE1 8
VIRUSCODE1 9
VIRUSCODE1 10
REPORT1 Infection:
Here is a sample of what I find if I parse for 5 lines before and
after the target Q-ID:
04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3
36875] 04/20/2005 11:53:25 Qa523e08f00e25924 MIME file:
[text/html][quoted- printable; Length=10177 Checksum=774898]
04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2
11904] 04/20/2005 11:53:27 Qa510a96d00c4590a MIME file:
[text/html][quoted- printable; Length=11036 Checksum=792412]
04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2
14609] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file:
[text/html][7bit; Length=52 Checksum=3520] 04/20/2005 11:53:29
Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404
Checksum=2507990] 04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find
parse string Infection: in report.txt 04/20/2005 11:53:30
Qa51fa9a300ec591e File(s) are INFECTED [: 0] 04/20/2005 11:53:30
Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522] 04/20/2005
11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [incoming from 165.165.221.208] 04/20/2005
11:53:30 Qa51fa9a300ec591e Subject: 04/20/2005 11:53:32
Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087] 04/20/2005
11:53:34 Qa52b00004d30fdb9 Scanned: Virus Free [MIME: 1 672]
04/20/2005 11:53:35 Qa52c00004f880105 Scanned: Virus Free [MIME: 1
752] 04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file:
[text/html][8bit; Length=8334 Checksum=681405] 04/20/2005 11:53:37
Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549]
I didn't find a time gap in any of the "Could not find parse string
Infection" log entries I found.
Bill
----- Original Message -----
From: Matt
To: [email protected]
Sent: Thursday, April 28, 2005 10:58 AM
Subject: Re: [Declude.Virus] High CPU F-Prot
Andrew,
If you are only using F-Prot, you should be able to find evidence of
at least the delays by searching for "Could not find parse string
Infection" and then checking for a gap above that point to where the
message began to be scanned.
If I'm correct about this, and it seems that I am, F-Prot has been
missing a fair number of viruses every day at least going back to
April 11th. Their new scan engine, 3.16b was released back on March
7th and this may be related, but I don't have logs going back past
April to confirm.
F-Prot users should all probably pay very close attention to this. I
haven't yet contacted F-Prot because I'm busy at this moment and this
was only just confirmed by someone else. I would have to say that
Scott would be quite useful in a situation like this because it
appeared that he had a line of contact with them (Scott, are you out
there?).
Matt
Colbeck, Andrew wrote:
The "could not parse" string occurs whenever F-Prot returns a
result that *isn't* equal to 3. Only return code 3 provides a
string in the result file that says "Infection: " followed by the
virus name.
I'd like to help you out with this Matt, but with only one
antivirus scanner, I don't see the evidence of a space gap.
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Sent: Thursday, April 28, 2005 10:29 AM
To: [email protected]
Subject: Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 12:57, Matt wrote:
Matt -
If this becomes a real problem that you see and can monitor I
would revert back to an older scan.exe to eliminate the issue of
versions.
This is a possible clue:
" Could not find parse string Infection: in report.txt"
What does this mean?
Your virus.cfg needs a different setup parameter or report.txt
cannot be found?
-Nick
04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr
[base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04
QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005
05:49:04 QB18D740700A83968 Banning file with SCR extension
[application/octet-stream]. --- 6 second gap where F-Prot
scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could
not find parse string Infection: in report.txt 04/28/2005
05:49:11 QB18D740700A83968 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005
05:49:11 QB18D740700A83968 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968
Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968
Deleting E-mail with virus! 04/28/2005 05:49:11
QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788]
04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005
05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED
04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip
[base64; Length=55408 Checksum=6875560] --- 4 second gap where
F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802
Could not find parse string Infection: in report.txt
04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46
QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]:
13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with
virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail
with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned:
CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46
QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
09:09:46 QE095EDCB006E8802 Subject: hello
04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr
[base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55
QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005
09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension
[application/octet-stream]. --- 9 second gap where F-Prot
scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could
not find parse string Infection: in report.txt 04/28/2005
09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05
QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]:
13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with
virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail
with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned:
CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05
QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
09:48:05 QE98BF4DC00DA98FB Subject: Good day
I'm virtually certain that this is what was happening yesterday,
but under heavier load, F-Prot was taking longer to scan the
messages than
the 30 seconds that I allow it to. There are no other long delays
like
this that I can find. F-Prot based on past testing should detect a
typical virus in 100 ms on my system, but it is not only taking
much more time to scan a very small file, it is also missing the
virus.
I suspect that this is happening on other systems, but the timeout
issue probably wasn't seen as often because I have my timeout set
to 30 seconds instead of 60 seconds, and I had very heavy load for
much of the day yesterday. If others are running two virus
scanners including F-Prot, it would help to confirm my findings by
searching for a hit on the second virus scanner hitting, but
F-Prot missing and also taking several seconds or more to return a
result.
If you search your logs for "Could not find parse string
Infection: in
report.txt", it might help to narrow down the results. I even
tested with McAfee run first and then F-Prot and these messages
would still appear when F-Prot didn't detect anything and McAfee
did. Here's an example with McAfee run first, detected a virus,
and then F- Prot took
it's time, generated a report.txt file but didn't return a virus
result code:
04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip
[base64; Length=56434 Checksum=6987682] 04/28/2005 01:37:51
Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED]
Attachment= [0] O --- 7 second gap while F-Prot scans ---
04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse
string Infection: in report.txt 04/28/2005 01:37:58
Q76AE2D3600E0E263 File(s) are INFECTED [the W32/[EMAIL PROTECTED]:
8] 04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting file with
virus 04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting E-mail
with virus! 04/28/2005 01:37:58 Q76AE2D3600E0E263 Scanned:
CONTAINS A VIRUS [MIME: 2 58564] 04/28/2005 01:37:58
Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
01:37:58 Q76AE2D3600E0E263 Subject: Good day
I'm guessing that F-Prot doesn't produce a Report.txt file unless
something happens besides it being found clean, and this file is
being
generated after a long delay and contains no identifiable
infection string and the result code isn't 3,6 or 8, otherwise
Declude would have considered it a virus. I'm guessing that the
report.txt file contains a report of an error???
I'm also guessing that this might explain the high CPU usage that
Darrell was reporting for F-Prot yesterday, though these events
are not very common on my system, only about twice an hour it
would seem.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.Virus". The archives can be found at
http://www.mail-archive.com. --- This E-mail came from the
Declude.Virus mailing list. To unsubscribe, just send an E-mail
to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".
The archives can be found at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
