RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Title: Message Yes, during the entire interval I measured the CPU time was 98-100% for the fpcmd.exe process only. On LOGLEVEL MED, there is a line that shows the errorlevel returned by the scanner, plus the error line indicating that the search string wasn't found in the resulting text file, e.g. this is what is returned on my v2.0.6 system when a "suspicious file" is returned: 04/27/2005 07:48:33 QA63CBF0600647AB8 Could not find parse string Infection: in report.txt04/27/2005 07:48:33 QA63CBF0600647AB8 File(s) are INFECTED [: 8]04/27/2005 07:48:33 QA63CBF0600647AB8 Scanned: CONTAINS A VIRUS [MIME: 3 23729]04/27/2005 07:48:33 QA63CBF0600647AB8 From:munged To:munged [outgoing from 70.187.178.183]04/27/2005 07:48:33 QA63CBF0600647AB8 Subject: Forum notify The resulting virus name is [Unknown File] butadding such a line to my FORGINGVIRUS strings doesn't stop the notification email (but they only go to postmaster, so no big deal for me). I don't know if it made it into the support database, but on testing Declude Virus, I immediately requested a feature enhancement to extend the virus matching string "REPORT" parallel with the "VIRUSCODE" lines for this reason. Otherwise, Matt, I agree on both of your conclusions regarding how F-Prot falls short. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 9:16 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)Ok, follow-up time. It appears that Declude is detecting this with VIRUSCODE 8 and I was just merely confused by the logs. I set things to Debug and found the following: 04/29/2005 00:06:48.652 QB2D6AB7001342A79 [6224] Virus Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe -SILENT -NOBOOT -NOMEM -ARCHIVE=5 -PACKED -SERVER -DUMB -REPORT=report.txt F:\DB2D6A~1.VIR\04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] Scanning Time: 4812ms [kernel=78 user=4734]04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] Virus scanner 1 reports exit code of 804/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] F:\DB2D6AB7001342A79.vir\04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] F:\DB2D6AB7001342A79.vir\report.txt04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] report.txt len=722 rflen=35 cs=004/29/2005 00:06:53 QB2D6AB7001342A79 Could not find parse string Infection: in report.txtSo I would assume that on other log levels and with other scanners detecting the viruses, there just isn't a clear indication of the virus being found with F-Prot, but it is in fact being detected. Maybe Declude should change the logging to indicate the exit code in other log levels when it matches a VIRUSCODE value.That leaves two real issues; 1) Time/CPU utilization with F-Prot, and 2) F-Prot continuing to report viruses with an exit code of 8.MattMatt wrote: Colbeck, Andrew wrote: F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file.Your script no doubt shows that F-Prot returns an error level of 8 when run on this file, however there is one big issue here...I have declude now set for VIRUSCODE 8 and it isn't detecting it. I just tested this by sending it to myself and it still didn't detect it as a virus. Here's my config: SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6VIRUSCODE1 8REPORT1 Infection: I used this same command line with your script, making obvious edits for the path and it returned an 8. I'm confused why either Declude isn't picking this up, or why F-Prot isn't somehow reporting it to Declude properly...The time issue is also a big deal of course, but probably not as big as Declude with F-Prot missing it. Can anyone confirm with this sample file whether or not Declude with F-Prot and VIRUSCODE 8 is catching this? I did get a reply on my previous report to them (after 6 days); they brought my request to the attention of the developers, but then reminded me that any non-zero return code is "undesirable". The request was to re-classify Mitglieder from "suspicious" to "virus" so that I could get the correct return code and thus the correct handling in my Declude Virus.I got what was probably the exact same response after a similar amount of time. The person that replied didn't understand the question or used something that was canned. I replied back again nevertheless. I haven't sent anything concerning this issue, although it seems related, but there also seems to be a different bug h
Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Title: Message Andrew, I'm still up doing maintenance... While you are correct about what happens with the error code when only one virus scanner is used, when two are configured like on my system, there is no indication that F-Prot detected a virus unless a REPORT line is matched, which won't happen with a VIRUSCODE 8. In the samples that I previously provided, the only affirmative indication that F-Prot detected a virus is the line "Could not find parse string Infection: in report.txt". 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365] 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426] --- 10 second gap while F-Prot scans --- 04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection: in report.txt 04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I 04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490] 04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100] 04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System] Definitely there should be an allowance for multiple REPORT lines to match, but also, it seems to make sense to provide a different indicator showing that a virus was detected and the error code for each scanner. Some scanners don't have parseable reports so when they are run in a multiple scanner config the new logging mechanism would be the only way to properly identify the result for that particular scanner. Matt Colbeck, Andrew wrote: Yes, during the entire interval I measured the CPU time was 98-100% for the fpcmd.exe process only. On LOGLEVEL MED, there is a line that shows the errorlevel returned by the scanner, plus the error line indicating that the search string wasn't found in the resulting text file, e.g. this is what is returned on my v2.0.6 system when a "suspicious file" is returned: 04/27/2005 07:48:33 QA63CBF0600647AB8 Could not find parse string Infection: in report.txt 04/27/2005 07:48:33 QA63CBF0600647AB8 File(s) are INFECTED [: 8] 04/27/2005 07:48:33 QA63CBF0600647AB8 Scanned: CONTAINS A VIRUS [MIME: 3 23729] 04/27/2005 07:48:33 QA63CBF0600647AB8 From:munged To:munged [outgoing from 70.187.178.183] 04/27/2005 07:48:33 QA63CBF0600647AB8 Subject: Forum notify The resulting virus name is [Unknown File] butadding such a line to my FORGINGVIRUS strings doesn't stop the notification email (but they only go to postmaster, so no big deal for me). I don't know if it made it into the support database, but on testing Declude Virus, I immediately requested a feature enhancement to extend the virus matching string "REPORT" parallel with the "VIRUSCODE" lines for this reason. Otherwise, Matt, I agree on both of your conclusions regarding how F-Prot falls short. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, April 28, 2005 9:16 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Ok, follow-up time. It appears that Declude is detecting this with VIRUSCODE 8 and I was just merely confused by the logs. I set things to Debug and found the following: 04/29/2005 00:06:48.652 QB2D6AB7001342A79 [6224] Virus Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe -SILENT -NOBOOT -NOMEM -ARCHIVE=5 -PACKED -SERVER -DUMB -REPORT=report.txt F:\DB2D6A~1.VIR\ 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] Scanning Time: 4812ms [kernel=78 user=4734] 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] Virus scanner 1 reports exit code of 8 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] F:\DB2D6AB7001342A79.vir\ 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] F:\DB2D6AB7001342A79.vir\report.txt 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] report.txt len=722 rflen=35 cs=0 04/29/2005 00:06:53 QB2D6AB7001342A79 Could not find parse string Infection: in report.txt So I would assume that on other log levels and with other scanners detecting the viruses, there just isn't a clear indication of the virus being found with F-Prot, but it is in fact being detected. Maybe Declude should change the logging to indicate the exit code in other log levels when it matches a VIRUSCODE value. That leaves two real issues; 1) Time/CPU utilization with F-Prot, and 2) F-Prot continuing to report viruses with an exit code of 8. Matt Matt wrote: Colbeck, Andrew wrote: F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file. Your script no doubt shows that F-Prot returns an error level of 8 when ru
RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Title: Message Ding! ... and that's why we've spent so much time on this. The log will show that F-Prot returned an errorlevel, and also the status line that the message contains an infected file. However, when there is more than one scanner, the status line that the message contains an infected file is only logged after both scanners have run? So, Matt, would you agree that what you would want Declude Virus to do is: * Log a status line if the message is infected for each scanner (trivial change?) * Also, let us match, per scanner, multiple errorlevel codes to specific text matches (would this benefit F-Prot users only?) * Also, give us a directive like SKIPIFVIRAL to short-circuit out of the nextscanner if a virus is found. Given the SKIPIFVIRAL directive, we'd have to consider whether a SKIPIFVULN to short-circuit out of any scanning if a vulnerability has been found.Given the other two SKIPs, is a SKIPBAN useful? I just realized that I'm not sure what happens when you ban a file, like an .EXE that is also viral. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, April 29, 2005 12:20 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)Andrew,I'm still up doing maintenance...While you are correct about what happens with the error code when only one virus scanner is used, when two are configured like on my system, there is no indication that F-Prot detected a virus unless a REPORT line is matched, which won't happen with a VIRUSCODE 8. In the samples that I previously provided, the only affirmative indication that F-Prot detected a virus is the line "Could not find parse string Infection: in report.txt". 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365]04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426]--- 10 second gap while F-Prot scans ---04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection: in report.txt04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490]04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100]04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System]Definitely there should be an allowance for multiple REPORT lines to match, but also, it seems to make sense to provide a different indicator showing that a virus was detected and the error code for each scanner. Some scanners don't have parseable reports so when they are run in a multiple scanner config the new logging mechanism would be the only way to properly identify the result for that particular scanner.MattColbeck, Andrew wrote: Yes, during the entire interval I measured the CPU time was 98-100% for the fpcmd.exe process only. On LOGLEVEL MED, there is a line that shows the errorlevel returned by the scanner, plus the error line indicating that the search string wasn't found in the resulting text file, e.g. this is what is returned on my v2.0.6 system when a "suspicious file" is returned: 04/27/2005 07:48:33 QA63CBF0600647AB8 Could not find parse string Infection: in report.txt04/27/2005 07:48:33 QA63CBF0600647AB8 File(s) are INFECTED [: 8]04/27/2005 07:48:33 QA63CBF0600647AB8 Scanned: CONTAINS A VIRUS [MIME: 3 23729]04/27/2005 07:48:33 QA63CBF0600647AB8 From:munged To:munged [outgoing from 70.187.178.183]04/27/2005 07:48:33 QA63CBF0600647AB8 Subject: Forum notify The resulting virus name is [Unknown File] butadding such a line to my FORGINGVIRUS strings doesn't stop the notification email (but they only go to postmaster, so no big deal for me). I don't know if it made it into the support database, but on testing Declude Virus, I immediately requested a feature enhancement to extend the virus matching string "REPORT" parallel with the "VIRUSCODE" lines for this reason. Otherwise, Matt, I agree on both of your conclusions regarding how F-Prot falls short. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 9:16 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)Ok, follow-up time. It appears that Declude is detecting this with VIRUSCODE 8 and I was just merely confused by t
Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
, like an .EXE that is also viral. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, April 29, 2005 12:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Andrew, I'm still up doing maintenance... While you are correct about what happens with the error code when only one virus scanner is used, when two are configured like on my system, there is no indication that F-Prot detected a virus unless a REPORT line is matched, which won't happen with a VIRUSCODE 8. In the samples that I previously provided, the only affirmative indication that F-Prot detected a virus is the line "Could not find parse string Infection: in report.txt". 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365] 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426] --- 10 second gap while F-Prot scans --- 04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection: in report.txt 04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I 04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490] 04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100] 04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System] Definitely there should be an allowance for multiple REPORT lines to match, but also, it seems to make sense to provide a different indicator showing that a virus was detected and the error code for each scanner. Some scanners don't have parseable reports so when they are run in a multiple scanner config the new logging mechanism would be the only way to properly identify the result for that particular scanner. Matt Colbeck, Andrew wrote: Yes, during the entire interval I measured the CPU time was 98-100% for the fpcmd.exe process only. On LOGLEVEL MED, there is a line that shows the errorlevel returned by the scanner, plus the error line indicating that the search string wasn't found in the resulting text file, e.g. this is what is returned on my v2.0.6 system when a "suspicious file" is returned: 04/27/2005 07:48:33 QA63CBF0600647AB8 Could not find parse string Infection: in report.txt 04/27/2005 07:48:33 QA63CBF0600647AB8 File(s) are INFECTED [: 8] 04/27/2005 07:48:33 QA63CBF0600647AB8 Scanned: CONTAINS A VIRUS [MIME: 3 23729] 04/27/2005 07:48:33 QA63CBF0600647AB8 From:munged To:munged [outgoing from 70.187.178.183] 04/27/2005 07:48:33 QA63CBF0600647AB8 Subject: Forum notify The resulting virus name is [Unknown File] butadding such a line to my FORGINGVIRUS strings doesn't stop the notification email (but they only go to postmaster, so no big deal for me). I don't know if it made it into the support database, but on testing Declude Virus, I immediately requested a feature enhancement to extend the virus matching string "REPORT" parallel with the "VIRUSCODE" lines for this reason. Otherwise, Matt, I agree on both of your conclusions regarding how F-Prot falls short. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, April 28, 2005 9:16 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Ok, follow-up time. It appears that Declude is detecting this with VIRUSCODE 8 and I was just merely confused by the logs. I set things to Debug and found the following: 04/29/2005 00:06:48.652 QB2D6AB7001342A79 [6224] Virus Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe -SILENT -NOBOOT -NOMEM -ARCHIVE=5 -PACKED -SERVER -DUMB -REPORT=report.txt F:\DB2D6A~1.VIR\ 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] Scanning Time: 4812ms [kernel=78 user=4734] 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] Virus scanner 1 reports exit code of 8 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] F:\DB2D6AB7001342A79.vir\ 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] F:\DB2D6AB7001342A79.vir\report.txt 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] report.txt len=722 rflen=35 cs=0 04/29/2005 00:06:53 QB2D6AB7001342A79 Could not find parse string Infection: in report.txt So I would assume that on other log levels and with other scanners detecting the viruses, there just isn't a clear indication of the virus being found with F-Prot, but it is in fact being detected. Maybe Declude should change the logging to indicate the exit code in other log levels when it matches a VIRUSCODE val
[Declude.Virus] F-Prot missing viruses and is slow (renamed)
Ok, I've captured one of these files and confirmed from a manual scan that it is still taking an excessive amount of time...but wait, there's more. The report.txt file that it creates shows that it detected Mytob, but every test where I send this to myself in E-mail results in no virus detected by F-Prot using VIRUSCODE 3, 6, 8, 9 or 10. I haven't gone as far as coding something up that can capture the exit code from the command line yet, but I would be curious what if any was returned. Here's what Declude Virus shows for this file when I send it to myself: 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365] 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426] --- 10 second gap while F-Prot scans --- 04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection: in report.txt 04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I 04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490] 04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100] 04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System] Here's a link to the virus for those that might want to test it out for themselves. Turn off your real-time virus scanner, right click the file and press save as, and rename it as doc.zip (it's not really a text file). http://administration.mailpure.com/virus/doc.txt Here's the command line for F-Prot that I was using with the file located in C:\test\doc.zip: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=C:\test\report.txt C:\test\doc.zip Here's the output from the report.txt file when manually scanned: Virus scanning report - 28 April 2005 @ 17:45 F-PROT ANTIVIRUS Program version: 3.16b Engine version: 3.16.6 VIRUS SIGNATURE FILES SIGN.DEF created 28 April 2005 SIGN2.DEF created 28 April 2005 MACRO.DEF created 20 April 2005 Search: C:\test\doc.zip Action: Report only Files: "Dumb" scan of all files Switches: /ARCHIVE /PACKED /SERVER /REPORT=C:\test\report.txt /SILENT /NOBOOT /NOMEM Memory was not scanned. Hard disk boot sectors were not scanned. C:\test\doc.zip-doc.scr-(Packed) is a security risk named W32/[EMAIL PROTECTED] Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 2 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:10 So it takes 10 seconds, find a "security risk named W32/[EMAIL PROTECTED]" and says it is "Suspicious", but I have Declude configured to treat an exit code of 8 as a virus currently, and that's what Suspicious files are supposedly marked as. I don't know if there is a different code being returned, or if F-Prot is just bugging out and not returning a code. Maybe some of you can clear that part up. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Title: Message I downloaded and manually scanned the file with F-Prot and McAfee multiple times. Desktop, WXP SP2, P4, 2.8 GHz F-Prot -5 seconds McAfee -0.4 seconds Server, W2K SP4, P3, 866 Hz F-Prot -10.1 seconds McAfee -1.21 seconds F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file. I'm enclosing the batch file I use to manually scan (and not clean) files. I monkeyed with all of the documented options and could not reduce the F-Prot scanning time. On the bright side, reviewing the parameters revealed that if you're not mindful and specify both the /type and /dumb options, the last one in the line wins (oops, I did that in my virus.cfg). Also, I learned that /packed is always on. I'm going to check for a similarmalware detection, and submit it to F-Prot as a bug. I did get a reply on my previous report to them (after 6 days); they brought my request to the attention of the developers, but then reminded me that any non-zero return code is "undesirable". The request was to re-classify Mitglieder from "suspicious" to "virus" so that I could get the correct return code and thus the correct handling in my Declude Virus. Andrew 8) p.s. I use the TimeThis.exe command line utility from Microsoftto get sub-second intervals in batch files. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 3:13 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Ok, I've captured one of these files and confirmed from a manual scan that it is still taking an excessive amount of time...but wait, there's more. The report.txt file that it creates shows that it detected Mytob, but every test where I send this to myself in E-mail results in no virus detected by F-Prot using VIRUSCODE 3, 6, 8, 9 or 10. I haven't gone as far as coding something up that can capture the exit code from the command line yet, but I would be curious what if any was returned.Here's what Declude Virus shows for this file when I send it to myself: 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365]04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426]--- 10 second gap while F-Prot scans ---04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection: in report.txt04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490]04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100]04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System]Here's a link to the virus for those that might want to test it out for themselves. Turn off your real-time virus scanner, right click the file and press save as, and rename it as doc.zip (it's not really a text file). http://administration.mailpure.com/virus/doc.txtHere's the command line for F-Prot that I was using with the file located in C:\test\doc.zip: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=C:\test\report.txt C:\test\doc.zipHere's the output from the report.txt file when manually scanned: Virus scanning report - 28 April 2005 @ 17:45F-PROT ANTIVIRUSProgram version: 3.16bEngine version: 3.16.6VIRUS SIGNATURE FILESSIGN.DEF created 28 April 2005SIGN2.DEF created 28 April 2005MACRO.DEF created 20 April 2005Search: C:\test\doc.zipAction: Report onlyFiles: "Dumb" scan of all filesSwitches: /ARCHIVE /PACKED /SERVER /REPORT=C:\test\report.txt /SILENT /NOBOOT /NOMEMMemory was not scanned.Hard disk boot sectors were not scanned.C:\test\doc.zip-doc.scr-(Packed) is a security risk named W32/[EMAIL PROTECTED]Results of virus scanning:Files: 1MBRs: 0Boot sectors: 0Objects scanned: 2Infected: 0Suspicious: 1Disinfected: 0Deleted: 0Renamed: 0Time: 0:10So it takes 10 seconds, find a "security risk named W32/[EMAIL PROTECTED]" and says it is "Suspicious", but I have Declude configured to treat an exit code of 8 as a virus currently, and that's what Suspicious files are supposedly marked as. I don't know if there is a different code being returned, or if F-Prot is just bugging out and not returning a code. Maybe some of you can clear that part up.Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Title: Message Andrew, During your test what did the CPU look like was it a solid 100%? I have not ran the test, but on my mail server when I was seeing the issue live it was 100%. Darrell ---DLAnalyzer - Comprehensive reporting for Declude Junkmail and Virus. Try it out - http://www.invariantsystems.com - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 8:18 PM Subject: RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed) I downloaded and manually scanned the file with F-Prot and McAfee multiple times. Desktop, WXP SP2, P4, 2.8 GHz F-Prot -5 seconds McAfee -0.4 seconds Server, W2K SP4, P3, 866 Hz F-Prot -10.1 seconds McAfee -1.21 seconds F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file. I'm enclosing the batch file I use to manually scan (and not clean) files. I monkeyed with all of the documented options and could not reduce the F-Prot scanning time. On the bright side, reviewing the parameters revealed that if you're not mindful and specify both the /type and /dumb options, the last one in the line wins (oops, I did that in my virus.cfg). Also, I learned that /packed is always on. I'm going to check for a similarmalware detection, and submit it to F-Prot as a bug. I did get a reply on my previous report to them (after 6 days); they brought my request to the attention of the developers, but then reminded me that any non-zero return code is "undesirable". The request was to re-classify Mitglieder from "suspicious" to "virus" so that I could get the correct return code and thus the correct handling in my Declude Virus. Andrew 8) p.s. I use the TimeThis.exe command line utility from Microsoftto get sub-second intervals in batch files. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 3:13 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Ok, I've captured one of these files and confirmed from a manual scan that it is still taking an excessive amount of time...but wait, there's more. The report.txt file that it creates shows that it detected Mytob, but every test where I send this to myself in E-mail results in no virus detected by F-Prot using VIRUSCODE 3, 6, 8, 9 or 10. I haven't gone as far as coding something up that can capture the exit code from the command line yet, but I would be curious what if any was returned.Here's what Declude Virus shows for this file when I send it to myself: 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365]04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426]--- 10 second gap while F-Prot scans ---04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection: in report.txt04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490]04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100]04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System]Here's a link to the virus for those that might want to test it out for themselves. Turn off your real-time virus scanner, right click the file and press save as, and rename it as doc.zip (it's not really a text file). http://administration.mailpure.com/virus/doc.txtHere's the command line for F-Prot that I was using with the file located in C:\test\doc.zip: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=C:\test\report.txt C:\test\doc.zipHere's the output from the report.txt file when manually scanned: Virus scanning report - 28 April 2005 @ 17:45F-PROT ANTIVIRUSProgram version: 3.16bEngine version: 3.16.6VIRUS SIGNATURE FILESSIGN.DEF created 28 April 2005SIGN2.DEF created 28 April 2005MACRO.DEF created 20 April 2005Search: C:\test\doc.zipAction: Report onlyFiles: "Dumb" scan of all filesSwitches: /ARCHIVE /PACKED /SERVER /REPORT=C:\test\report.txt /SILENT /NOBOOT /NOMEMMemory was not scanned.Hard disk boot sectors were not scanned.C:\test\doc.zip-doc.scr-(Packed) is a security risk named W32/[EMAIL PROTECTED]Results of virus scanni
Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Colbeck, Andrew wrote: F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file. Your script no doubt shows that F-Prot returns an error level of 8 when run on this file, however there is one big issue here...I have declude now set for VIRUSCODE 8 and it isn't detecting it. I just tested this by sending it to myself and it still didn't detect it as a virus. Here's my config: SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: I used this same command line with your script, making obvious edits for the path and it returned an 8. I'm confused why either Declude isn't picking this up, or why F-Prot isn't somehow reporting it to Declude properly... The time issue is also a big deal of course, but probably not as big as Declude with F-Prot missing it. Can anyone confirm with this sample file whether or not Declude with F-Prot and VIRUSCODE 8 is catching this? I did get a reply on my previous report to them (after 6 days); they brought my request to the attention of the developers, but then reminded me that any non-zero return code is "undesirable". The request was to re-classify Mitglieder from "suspicious" to "virus" so that I could get the correct return code and thus the correct handling in my Declude Virus. I got what was probably the exact same response after a similar amount of time. The person that replied didn't understand the question or used something that was canned. I replied back again nevertheless. I haven't sent anything concerning this issue, although it seems related, but there also seems to be a different bug here with at least F-Prot but possibly also Declude. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Title: Message When running Andrew's script, I confirmed that fpcmd.exe hit about 35% during the ~10 seconds that it was running, which is totally uncharacteristic. I have dual 3.06 Xeons which have hyperthreading turned on (shows up as 4 processors in Windows). Matt Darrell ([EMAIL PROTECTED]) wrote: Andrew, During your test what did the CPU look like was it a solid 100%? I have not ran the test, but on my mail server when I was seeing the issue live it was 100%. Darrell --- DLAnalyzer - Comprehensive reporting for Declude Junkmail and Virus. Try it out - http://www.invariantsystems.com - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 8:18 PM Subject: RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed) I downloaded and manually scanned the file with F-Prot and McAfee multiple times. Desktop, WXP SP2, P4, 2.8 GHz F-Prot -5 seconds McAfee -0.4 seconds Server, W2K SP4, P3, 866 Hz F-Prot -10.1 seconds McAfee -1.21 seconds F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file. I'm enclosing the batch file I use to manually scan (and not clean) files. I monkeyed with all of the documented options and could not reduce the F-Prot scanning time. On the bright side, reviewing the parameters revealed that if you're not mindful and specify both the /type and /dumb options, the last one in the line wins (oops, I did that in my virus.cfg). Also, I learned that /packed is always on. I'm going to check for a similarmalware detection, and submit it to F-Prot as a bug. I did get a reply on my previous report to them (after 6 days); they brought my request to the attention of the developers, but then reminded me that any non-zero return code is "undesirable". The request was to re-classify Mitglieder from "suspicious" to "virus" so that I could get the correct return code and thus the correct handling in my Declude Virus. Andrew 8) p.s. I use the TimeThis.exe command line utility from Microsoftto get sub-second intervals in batch files. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, April 28, 2005 3:13 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Ok, I've captured one of these files and confirmed from a manual scan that it is still taking an excessive amount of time...but wait, there's more. The report.txt file that it creates shows that it detected Mytob, but every test where I send this to myself in E-mail results in no virus detected by F-Prot using VIRUSCODE 3, 6, 8, 9 or 10. I haven't gone as far as coding something up that can capture the exit code from the command line yet, but I would be curious what if any was returned. Here's what Declude Virus shows for this file when I send it to myself: 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365] 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426] --- 10 second gap while F-Prot scans --- 04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection: in report.txt 04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I 04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490] 04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100] 04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System] Here's a link to the virus for those that might want to test it out for themselves. Turn off your real-time virus scanner, right click the file and press save as, and rename it as doc.zip (it's not really a text file). http://administration.mailpure.com/virus/doc.txt Here's the command line for F-Prot that I was using with the file located in C:\test\doc.zip: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=C:\test\report.txt C:\test\doc.zip Here's the output from the report.txt file when manually scanned: Virus scanning report - 28 April 2005 @ 17:45 F-PROT ANTIVIRUS Program version: 3.16b Engine version: 3.16.6 VIRUS SIGNATURE FILES SIGN.DEF created 28 April 2005 SIGN2.DEF created 28 April 2005 MACRO.DEF created 20 April 2005 Search: C:\test\doc.zip Action: Report only Files: "Dumb" scan of all
Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Ok, follow-up time. It appears that Declude is detecting this with VIRUSCODE 8 and I was just merely confused by the logs. I set things to Debug and found the following: 04/29/2005 00:06:48.652 QB2D6AB7001342A79 [6224] Virus Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe -SILENT -NOBOOT -NOMEM -ARCHIVE=5 -PACKED -SERVER -DUMB -REPORT=report.txt F:\DB2D6A~1.VIR\ 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] Scanning Time: 4812ms [kernel=78 user=4734] 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] Virus scanner 1 reports exit code of 8 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] F:\DB2D6AB7001342A79.vir\ 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] F:\DB2D6AB7001342A79.vir\report.txt 04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] report.txt len=722 rflen=35 cs=0 04/29/2005 00:06:53 QB2D6AB7001342A79 Could not find parse string Infection: in report.txt So I would assume that on other log levels and with other scanners detecting the viruses, there just isn't a clear indication of the virus being found with F-Prot, but it is in fact being detected. Maybe Declude should change the logging to indicate the exit code in other log levels when it matches a VIRUSCODE value. That leaves two real issues; 1) Time/CPU utilization with F-Prot, and 2) F-Prot continuing to report viruses with an exit code of 8. Matt Matt wrote: Colbeck, Andrew wrote: F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file. Your script no doubt shows that F-Prot returns an error level of 8 when run on this file, however there is one big issue here...I have declude now set for VIRUSCODE 8 and it isn't detecting it. I just tested this by sending it to myself and it still didn't detect it as a virus. Here's my config: SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: I used this same command line with your script, making obvious edits for the path and it returned an 8. I'm confused why either Declude isn't picking this up, or why F-Prot isn't somehow reporting it to Declude properly... The time issue is also a big deal of course, but probably not as big as Declude with F-Prot missing it. Can anyone confirm with this sample file whether or not Declude with F-Prot and VIRUSCODE 8 is catching this? I did get a reply on my previous report to them (after 6 days); they brought my request to the attention of the developers, but then reminded me that any non-zero return code is "undesirable". The request was to re-classify Mitglieder from "suspicious" to "virus" so that I could get the correct return code and thus the correct handling in my Declude Virus. I got what was probably the exact same response after a similar amount of time. The person that replied didn't understand the question or used something that was canned. I replied back again nevertheless. I haven't sent anything concerning this issue, although it seems related, but there also seems to be a different bug here with at least F-Prot but possibly also Declude. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =