Markus,
Take the spool file name corresponding to the "could not find parse
string" and look above it for the beginning of the log entries for that
file. You might think that this is the first entry for that message,
but it appears that there is a gap in time and you aren't finding the
first entries. Your entries should look the same or similar to mine.
The first entry for each such message that passes PRESCAN will start
with the "MIME file" line. It seems likely that you are experiencing
the same thing.
Matt
Markus Gufler wrote:
Matt,
how do you search for this
F-Prot space gaps?
As I can see from your log
snippets there is each time a "could not find parse string" after the
space gap
Searching my logfile for this
phrase I can find around 10 of them, but always as the first log entry
of a processed message. So I can't determine if there is a space gap or
not. Each of this log lines is for F_prot while Scanner2 Mcafee is
detecting a virus (Netsky, Bagle, ... but no Mytob in this case)
I've still in use F-prot 3.15
not 3.16
Markus
After further review, I'm pretty sure that there is an F-Prot issue
going on here.
My server hasn't been hitting 100% yet today, and I also haven't seen
any F-Prot timeouts, however I have found more compelling evidence that
there is an issue with F-Prot that would probably lead to timeouts if
the load was heavy while some messages were scanned. I searched my
logs today for examples of where McAfee found Mytob, but F-Prot didn't
detect anything. There were a fair number of examples, and in every
one, F-Prot took an uncharacteristically long time to scan the file.
Here are three examples that are marked with the gap corresponding to
the F-Prot delays:
04/28/2005 05:49:04 QB18D740700A83968 MIME file:
document.scr [base64; Length=52224 Checksum=6533396]
04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability
04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension
[application/octet-stream].
--- 6 second gap where F-Prot scans message ---
04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string
Infection: in report.txt
04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=document.scr [0] O
04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus
04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!
04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME:
2 54788]
04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 12.152.254.47]
04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED
04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64;
Length=55408 Checksum=6875560]
--- 4 second gap where F-Prot scans message ---
04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string
Infection: in report.txt
04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus
04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus!
04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME:
2 55605]
04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello
04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64;
Length=56320 Checksum=6982245]
04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability
04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension
[application/octet-stream].
--- 9 second gap where F-Prot scans message ---
04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string
Infection: in report.txt
04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=data.scr [0] O
04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus
04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus!
04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME:
2 56551]
04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day
I'm virtually certain that this is what was happening yesterday, but
under heavier load, F-Prot was taking longer to scan the messages than
the 30 seconds that I allow it to. There are no other long delays like
this that I can find. F-Prot based on past testing should detect a
typical virus in 100 ms on my system, but it is not only taking much
more time to scan a very small file, it is also missing the virus.
I suspect that this is happening on other systems, but the timeout
issue probably wasn't seen as often because I have my timeout set to 30
seconds instead of 60 seconds, and I had very heavy load for much of
the day yesterday. If others are running two virus scanners including
F-Prot, it would help to confirm my findings by searching for a hit on
the second virus scanner hitting, but F-Prot missing and also taking
several seconds or more to return a result.
If you search your logs for "Could not find parse string Infection: in
report.txt", it might help to narrow down the results. I even tested
with McAfee run first and then F-Prot and these messages would still
appear when F-Prot didn't detect anything and McAfee did. Here's an
example with McAfee run first, detected a virus, and then F-Prot took
it's time, generated a report.txt file but didn't return a virus result
code:
04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file:
text.zip [base64; Length=56434 Checksum=6987682]
04/28/2005 01:37:51 Q76AE2D3600E0E263 Scanner 1: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
--- 7 second gap while F-Prot scans ---
04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse string
Infection: in report.txt
04/28/2005 01:37:58 Q76AE2D3600E0E263 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 8]
04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting file with virus
04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting E-mail with virus!
04/28/2005 01:37:58 Q76AE2D3600E0E263 Scanned: CONTAINS A VIRUS [MIME:
2 58564]
04/28/2005 01:37:58 Q76AE2D3600E0E263 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/28/2005 01:37:58 Q76AE2D3600E0E263 Subject: Good day
I'm guessing that F-Prot doesn't produce a Report.txt file unless
something happens besides it being found clean, and this file is being
generated after a long delay and contains no identifiable infection
string and the result code isn't 3,6 or 8, otherwise Declude would have
considered it a virus. I'm guessing that the report.txt file contains
a report of an error???
I'm also guessing that this might explain the high CPU usage that
Darrell was reporting for F-Prot yesterday, though these events are not
very common on my system, only about twice an hour it would seem.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
