Nick,
I know. I sometimes don't read carefully myself :)
Matt
Nick wrote:
On 28 Apr 2005 at 13:50, Matt wrote:
Sorry about being wrong on both counts.. but I was trying to help!
-Nick
Nick,
Thanks for the reply, but I think you missed part of the
discussion.This is an F-Prot issue. Also, regardless of not finding a
parse string in report.txt, F-Prot isn't throwing one of the three
codes that people around here consider to be a virus, i.e. 3, 6 or 8.
If it threw that code, Declude would pick it up as a virus tagged by
F-Prot regardless of what the report.txt showed. The Report.txt is
only used for identifying the virus, but in this case it is a clue
that tells us that F-Prot is probably throwing an error of some sort
since this file is being generated and shouldn't otherwise be.
Matt
Nick wrote:
On 28 Apr 2005 at 12:57, Matt wrote:
Matt -
If this becomes a real problem that you see and can monitor I
would revert back to an older scan.exe to eliminate the issue of
versions.
This is a possible clue:
" Could not find parse string Infection: in report.txt"
What does this mean?
Your virus.cfg needs a different setup parameter or report.txt
cannot be found?
-Nick
04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr
[base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04
QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005
05:49:04 QB18D740700A83968 Banning file with SCR extension
[application/octet-stream]. --- 6 second gap where F-Prot
scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could
not find parse string Infection: in report.txt 04/28/2005
05:49:11 QB18D740700A83968 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005
05:49:11 QB18D740700A83968 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968
Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968
Deleting E-mail with virus! 04/28/2005 05:49:11
QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788]
04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005
05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED
04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip
[base64; Length=55408 Checksum=6875560] --- 4 second gap where
F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802
Could not find parse string Infection: in report.txt
04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46
QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]:
13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with
virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail
with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned:
CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46
QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
09:09:46 QE095EDCB006E8802 Subject: hello
04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr
[base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55
QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005
09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension
[application/octet-stream]. --- 9 second gap where F-Prot
scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could
not find parse string Infection: in report.txt 04/28/2005
09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05
QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]:
13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with
virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail
with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned:
CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05
QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
09:48:05 QE98BF4DC00DA98FB Subject: Good day
I'm virtually certain that this is what was happening yesterday,
but under heavier load, F-Prot was taking longer to scan the
messages than the 30 seconds that I allow it to. There are no
other long delays like this that I can find. F-Prot based on past
testing should detect a typical virus in 100 ms on my system, but
it is not only taking much more time to scan a very small file, it
is also missing the virus.
I suspect that this is happening on other systems, but the timeout
issue probably wasn't seen as often because I have my timeout set
to 30 seconds instead of 60 seconds, and I had very heavy load for
much of the day yesterday. If others are running two virus
scanners including F-Prot, it would help to confirm my findings by
searching for a hit on the second virus scanner hitting, but
F-Prot missing and also taking several seconds or more to return a
result.
If you search your logs for "Could not find parse string
Infection: in report.txt", it might help to narrow down the
results. I even tested with McAfee run first and then F-Prot and
these messages would still appear when F-Prot didn't detect
anything and McAfee did. Here's an example with McAfee run first,
detected a virus, and then F- Prot took it's time, generated a
report.txt file but didn't return a virus result code:
04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip
[base64; Length=56434 Checksum=6987682] 04/28/2005 01:37:51
Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED]
Attachment= [0] O --- 7 second gap while F-Prot scans ---
04/28/2005 01:37:58 Q76AE2D3600E0E263 Could not find parse
string Infection: in report.txt 04/28/2005 01:37:58
Q76AE2D3600E0E263 File(s) are INFECTED [the W32/[EMAIL PROTECTED]:
8] 04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting file with
virus 04/28/2005 01:37:58 Q76AE2D3600E0E263 Deleting E-mail
with virus! 04/28/2005 01:37:58 Q76AE2D3600E0E263 Scanned:
CONTAINS A VIRUS [MIME: 2 58564] 04/28/2005 01:37:58
Q76AE2D3600E0E263 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005
01:37:58 Q76AE2D3600E0E263 Subject: Good day
I'm guessing that F-Prot doesn't produce a Report.txt file unless
something happens besides it being found clean, and this file is
being generated after a long delay and contains no identifiable
infection string and the result code isn't 3,6 or 8, otherwise
Declude would have considered it a virus. I'm guessing that the
report.txt file contains a report of an error???
I'm also guessing that this might explain the high CPU usage that
Darrell was reporting for F-Prot yesterday, though these events
are not very common on my system, only about twice an hour it
would seem.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.Virus". The archives can be found at
http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
