I'm running 3.16b, the most current version, and today's most recent
definitions.
I don't believe those errors are related What you pointed out is just
the heavy load multiple processing bug, and it would seemingly scan for
viruses properly on the first pass. All of my errors occurred during
heavy load as far as I can tell. For some reason I've been getting
slammed harder and harder over the last two weeks. I still have some
domains that aren't being validated and the dictionary attacks on them
are getting worse it seems. It's very odd and quite bursty, but I
digress.
I'm thinking that this is an F-Prot issue. While they always occur
during heavy load, they also all occurred on files that McAfee detected
as a virus. I would think that if it was completely load related or
caused by something else, McAfee wouldn't be even close to 9 for 9 in
detecting these as viruses. The dependency on heavy load however
suggests something else since there is also a 9 for 9 dependency
there. I should probably mention that I am testing a fix for the
multiple-processing issue, so this might be unique to just my system.
This is also the first time that I upgraded from 1.82, so I am watching
my logs carefully. Everything else seems hunky-dory. If it's F-Prot
that is causing the issue, I would imagine that it should disappear
soon. I would expect that others would also see some of the same.
Matt
Colbeck, Andrew wrote:
Hmm, it won't help any directly, but I can tell
you that I've had zero instances of this timeout error so far this
month.
For what it's worth, the only errors in my
vir04??.log file are all about double-scanning by Declude (for a
message with a single addressee). I see timestamps with the Declude
JunkMail entries, then the Virus entries (clean), then the same lines
in Declude again (but 35 seconds later) and then the Virus entry
indicates
4/26/2005 09:40:26 Q6C323086024ED01A Error
opening mime file D:\IMAIL\SPOOL\D6C323086024ED01A.SMD
4/26/2005 09:40:26 Q6C323086024ED01A Scanned: Error starting scanner
This has happened 10 times in 140,000 unique*
messages. Each of those ten times was during the server's peak period.
Andrew 8)
I measured unique messages, not recipients, i.e.
for %i in (vir04??.log) do @gawk "{print $3}" %i
| usort | uniq | wc -l
I did some monitoring and fpcmd.exe isn't normally causing excessive
load and it's completely updated. On the other hand, I have seen now 9
different timeouts for F-Prot on my system today, and every timeout for
F-Prot was for a message that McAfee detected as a virus. There are
two possibilities here that I can think of. The most obvious would be
that this variant of Mytob is causing issues with F-Prot, possibly
targeting a bug in the app that we don't know about. The second issue
might be related to the fact that I upgraded last night from 1.82 and
so I can't rule that out, but I'm leaning heavily towards F-Prot having
issues. Looks like yet another F-Prot hiccup...
4/27/2005 01:32:09 Q23D834BB010C8222 MIME file:
file.zip [base64; Length=50820 Checksum=6317600]
04/27/2005 01:32:39 Q23D834BB010C8222 ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 01:32:42 Q23D834BB010C8222 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/27/2005 01:32:42 Q23D834BB010C8222 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/27/2005 01:32:42 Q23D834BB010C8222 Deleting file with virus
04/27/2005 01:32:42 Q23D834BB010C8222 Deleting E-mail with virus!
04/27/2005 01:32:42 Q23D834BB010C8222 Scanned: CONTAINS A VIRUS [MIME:
2 50998]
04/27/2005 01:32:42 Q23D834BB010C8222 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/27/2005 01:32:42 Q23D834BB010C8222 Subject: Mail Delivery System
04/27/2005 01:32:34 Q23F1665600C08266 MIME file: document.zip [base64;
Length=50828 Checksum=6318531]
04/27/2005 01:33:04 Q23F1665600C08266 ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 01:33:06 Q23F1665600C08266 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/27/2005 01:33:06 Q23F1665600C08266 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/27/2005 01:33:06 Q23F1665600C08266 Deleting file with virus
04/27/2005 01:33:06 Q23F1665600C08266 Deleting E-mail with virus!
04/27/2005 01:33:06 Q23F1665600C08266 Scanned: CONTAINS A VIRUS [MIME:
2 51075]
04/27/2005 01:33:06 Q23F1665600C08266 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/27/2005 01:33:06 Q23F1665600C08266 Subject: Good day
04/27/2005 12:53:45 QC34F126601208E36 MIME file: readme.zip [base64;
Length=60534 Checksum=7436894]
04/27/2005 12:54:15 QC34F126601208E36 ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 12:54:16 QC34F126601208E36 Scanner 2: Virus=the
<Anonymous Driver> Attachment= [0] O
04/27/2005 12:54:16 QC34F126601208E36 File(s) are INFECTED [the
<Anonymous Driver>: 13]
04/27/2005 12:54:16 QC34F126601208E36 Deleting file with virus
04/27/2005 12:54:16 QC34F126601208E36 Deleting E-mail with virus!
04/27/2005 12:54:16 QC34F126601208E36 Scanned: CONTAINS A VIRUS [MIME:
2 60735]
04/27/2005 12:54:16 QC34F126601208E36 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/27/2005 12:54:16 QC34F126601208E36 Subject: MAIL TRANSACTION FAILED
04/27/2005 15:01:22 QE18023A80136D4FB MIME file: message.pif [base64;
Length=68608 Checksum=8328934]
04/27/2005 15:01:22 QE18023A80136D4FB Banning file with PIF extension
[application/octet-stream].
04/27/2005 15:01:52 QE18023A80136D4FB ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 15:01:54 QE18023A80136D4FB Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=message.pif [0] O
04/27/2005 15:01:54 QE18023A80136D4FB Invalid PIF Vulnerability
04/27/2005 15:01:54 QE18023A80136D4FB Found a bogus .pif file
04/27/2005 15:01:54 QE18023A80136D4FB File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/27/2005 15:01:54 QE18023A80136D4FB Deleting file with virus
04/27/2005 15:01:54 QE18023A80136D4FB Deleting E-mail with virus!
04/27/2005 15:01:54 QE18023A80136D4FB Scanned: CONTAINS A VIRUS [MIME:
2 68855]
04/27/2005 15:01:54 QE18023A80136D4FB From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/27/2005 15:01:54 QE18023A80136D4FB Subject: hello
04/27/2005 15:03:07 QE1E8CDE50080D601 MIME file: document.zip [base64;
Length=68878 Checksum=8339217]
04/27/2005 15:03:37 QE1E8CDE50080D601 ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 15:03:38 QE1E8CDE50080D601 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/27/2005 15:03:38 QE1E8CDE50080D601 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/27/2005 15:03:38 QE1E8CDE50080D601 Deleting file with virus
04/27/2005 15:03:38 QE1E8CDE50080D601 Deleting E-mail with virus!
04/27/2005 15:03:38 QE1E8CDE50080D601 Scanned: CONTAINS A VIRUS [MIME:
2 70364]
04/27/2005 15:03:38 QE1E8CDE50080D601 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/27/2005 15:03:38 QE1E8CDE50080D601 Subject: hello
04/27/2005 17:50:01 Q08DE5B0200CC296E MIME file: test.exe [base64;
Length=64512 Checksum=7880003]
04/27/2005 17:50:01 Q08DE5B0200CC296E Banning file with EXE extension
[application/octet-stream].
04/27/2005 17:50:31 Q08DE5B0200CC296E ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 17:50:32 Q08DE5B0200CC296E Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=test.exe [0] O
04/27/2005 17:50:32 Q08DE5B0200CC296E File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/27/2005 17:50:32 Q08DE5B0200CC296E Deleting file with virus
04/27/2005 17:50:32 Q08DE5B0200CC296E Deleting E-mail with virus!
04/27/2005 17:50:32 Q08DE5B0200CC296E Scanned: CONTAINS A VIRUS [MIME:
2 64690]
04/27/2005 17:50:32 Q08DE5B0200CC296E From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 12.152.254.47]
04/27/2005 17:50:32 Q08DE5B0200CC296E Subject: Hello
04/27/2005 17:50:29 Q08E35B0200CC2989 MIME file: file.zip [base64;
Length=64774 Checksum=7891080]
04/27/2005 17:50:59 Q08E35B0200CC2989 ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 17:51:01 Q08E35B0200CC2989 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/27/2005 17:51:01 Q08E35B0200CC2989 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/27/2005 17:51:01 Q08E35B0200CC2989 Deleting file with virus
04/27/2005 17:51:01 Q08E35B0200CC2989 Deleting E-mail with virus!
04/27/2005 17:51:01 Q08E35B0200CC2989 Scanned: CONTAINS A VIRUS [MIME:
2 64952]
04/27/2005 17:51:01 Q08E35B0200CC2989 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 12.152.254.47]
04/27/2005 17:51:01 Q08E35B0200CC2989 Subject: Vzvqvwnocdebkj
Markus Gufler wrote:
11:59pm here so it's not a good time to watch the cpu usage as most people
has leaved the office some hours ago. Time to say good night for me too
after haven't seen anything strange with f-prot on my server at the moment.
|-)
Markus
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Wednesday, April 27, 2005 11:53 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot
I saw F-Prot time out 3 times today in my logs, and I can't
remember that ever happening before. McAfee didn't time out
once, and that's usually the first to go. Maybe this
explains the issue. I think it's time to so some performance
monitoring to see what is up.
Matt
Darrell ([EMAIL PROTECTED]) wrote:
In the last 24 hours I have seen F-Prot start to use an excessive
amount of CPU. Normally it very rarely shows up in task
manager and
now it has been using a considerable amount of CPU.
Thoughts?
Darrell
----------------------------------------------------
Comprehensive Declude Virus and Junkmail reporting with
DLAnalyzer -
http://www.invariantsystems.com
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
