RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed)

[Colbeck, Andrew]

Title: Message

I downloaded and manually scanned the file with F-Prot and McAfee multiple times.   Desktop, WXP SP2, P4, 2.8 GHz F-Prot - 5 seconds McAfee - 0.4 seconds   Server, W2K SP4, P3, 866 Hz F-Prot - 10.1 seconds McAfee - 1.21 seconds   F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file.   I'm enclosing the batch file I use to manually scan (and not clean) files.  I monkeyed with all of the documented options and could not reduce the F-Prot scanning time.  On the bright side, reviewing the parameters revealed that if you're not mindful and specify both the /type and /dumb options, the last one in the line wins (oops, I did that in my virus.cfg).  Also, I learned that /packed is always on.   I'm going to check for a similar malware detection, and submit it to F-Prot as a bug.   I did get a reply on my previous report to them (after 6 days); they brought my request to the attention of the developers, but then reminded me that any non-zero return code is "undesirable".  The request was to re-classify Mitglieder from "suspicious" to "virus" so that I could get the correct return code and thus the correct handling in my Declude Virus.   Andrew 8)   p.s. I use the TimeThis.exe command line utility from Microsoft to get sub-second intervals in batch files.   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 28, 2005 3:13 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Ok, I've captured one of these files and confirmed from a manual scan that it is still taking an excessive amount of time...but wait, there's more.  The report.txt file that it creates shows that it detected Mytob, but every test where I send this to myself in E-mail results in no virus detected by F-Prot using VIRUSCODE 3, 6, 8, 9 or 10.  I haven't gone as far as coding something up that can capture the exit code from the command line yet, but I would be curious what if any was returned. Here's what Declude Virus shows for this file when I send it to myself: 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365] 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426] --- 10 second gap while F-Prot scans --- 04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection:  in report.txt 04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I 04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490] 04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100] 04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System] Here's a link to the virus for those that might want to test it out for themselves.  Turn off your real-time virus scanner, right click the file and press save as, and rename it as doc.zip (it's not really a text file). http://administration.mailpure.com/virus/doc.txt Here's the command line for F-Prot that I was using with the file located in C:\test\doc.zip: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=C:\test\report.txt C:\test\doc.zip Here's the output from the report.txt file when manually scanned: Virus scanning report  -  28 April 2005 @ 17:45 F-PROT ANTIVIRUS Program version: 3.16b Engine version: 3.16.6 VIRUS SIGNATURE FILES SIGN.DEF created 28 April 2005 SIGN2.DEF created 28 April 2005 MACRO.DEF created 20 April 2005 Search: C:\test\doc.zip Action: Report only Files: "Dumb" scan of all files Switches: /ARCHIVE /PACKED /SERVER /REPORT=C:\test\report.txt /SILENT /NOBOOT /NOMEM Memory was not scanned. Hard disk boot sectors were not scanned. C:\test\doc.zip->doc.scr->(Packed)  is a security risk named W32/[EMAIL PROTECTED] Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 2 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:10 So it takes 10 seconds, find a "security risk named W32/[EMAIL PROTECTED]" and says it is "Suspicious", but I have Declude configured to treat an exit code of 8 as a virus currently, and that's what Suspicious files are supposedly marked as.  I don't know if there is a different code being returned, or if F-Prot is just bugging out and not returning a code.  Maybe some of you can clear that part up. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================

@echo off
if "%1" == "" goto splain

if not exist %1 (echo File or folder '%1' does not exist && echo. && goto 
splain)
C:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem %1
echo.
echo ErrorLevel returned by fpcmd is: [%errorlevel%]
if errorlevel 10 (echo errorlevel 10 = At least one nested archive object was 
not scanned. & goto quit)
if errorlevel 9 (echo errorlevel 9 = At least one object was not scanned 
[encrypted file, unsupported/unknown compression method, unsupported/unknown 
file format, corrupted or invalid file]. & goto quit)
if errorlevel 8 (echo errorlevel 8 = At least one suspicious object was found. 
& goto quit)
if errorlevel 7 (echo errorlevel 7 = Error, out of memory. & goto quit)
if errorlevel 6 (echo errorlevel 6 = At least one virus was removed. & goto 
quit)
if errorlevel 5 (echo errorlevel 5 = Abnormal termination [scanning did not 
finish]. & goto quit)
if errorlevel 4 (echo errorlevel 4 = Reserved, not currently in use. & goto 
quit)
if errorlevel 3 (echo errorlevel 3 = At least one virus-infected object was 
found. & goto quit)
if errorlevel 2 (echo errorlevel 2 = Selftest failed [program has been 
modified]. & goto quit)
if errorlevel 1 (echo errorlevel 1 = Unrecoverable error [e.g., missing virus 
signature files]. & goto quit)
goto quit

:splain
echo Call this script with a parameter indicating a file or folder name.
echo.
echo e.g. ScanOnly c:\temp\hostile.exe

:quit