I
downloaded and manually scanned the file with F-Prot and McAfee multiple
times.
Desktop, WXP SP2, P4, 2.8 GHz
F-Prot
- 5 seconds
McAfee
- 0.4 seconds
Server, W2K SP4, P3, 866 Hz
F-Prot
- 10.1 seconds
McAfee
- 1.21 seconds
F-Prot
is indeed returning an errorlevel of 8 on this, and it's definitely way out of
line with the scanning time on this file.
I'm
enclosing the batch file I use to manually scan (and not clean) files. I
monkeyed with all of the documented options and could not reduce the F-Prot
scanning time. On the bright side, reviewing the parameters revealed that
if you're not mindful and specify both the /type and /dumb options, the last one
in the line wins (oops, I did that in my virus.cfg). Also, I learned that
/packed is always on.
I'm
going to check for a similar malware detection, and submit it to F-Prot as
a bug.
I did
get a reply on my previous report to them (after 6 days); they brought my
request to the attention of the developers, but then reminded me that any
non-zero return code is "undesirable". The request was to re-classify
Mitglieder from "suspicious" to "virus" so that I could get the correct return
code and thus the correct handling in my Declude Virus.
Andrew
8)
p.s. I
use the TimeThis.exe command line utility from Microsoft to get sub-second
intervals in batch files.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 28, 2005 3:13 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Ok, I've captured one of these files and confirmed from a manual scan that it is still taking an excessive amount of time...but wait, there's more. The report.txt file that it creates shows that it detected Mytob, but every test where I send this to myself in E-mail results in no virus detected by F-Prot using VIRUSCODE 3, 6, 8, 9 or 10. I haven't gone as far as coding something up that can capture the exit code from the command line yet, but I would be curious what if any was returned. |
@echo off if "%1" == "" goto splain if not exist %1 (echo File or folder '%1' does not exist && echo. && goto splain) C:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem %1 echo. echo ErrorLevel returned by fpcmd is: [%errorlevel%] if errorlevel 10 (echo errorlevel 10 = At least one nested archive object was not scanned. & goto quit) if errorlevel 9 (echo errorlevel 9 = At least one object was not scanned [encrypted file, unsupported/unknown compression method, unsupported/unknown file format, corrupted or invalid file]. & goto quit) if errorlevel 8 (echo errorlevel 8 = At least one suspicious object was found. & goto quit) if errorlevel 7 (echo errorlevel 7 = Error, out of memory. & goto quit) if errorlevel 6 (echo errorlevel 6 = At least one virus was removed. & goto quit) if errorlevel 5 (echo errorlevel 5 = Abnormal termination [scanning did not finish]. & goto quit) if errorlevel 4 (echo errorlevel 4 = Reserved, not currently in use. & goto quit) if errorlevel 3 (echo errorlevel 3 = At least one virus-infected object was found. & goto quit) if errorlevel 2 (echo errorlevel 2 = Selftest failed [program has been modified]. & goto quit) if errorlevel 1 (echo errorlevel 1 = Unrecoverable error [e.g., missing virus signature files]. & goto quit) goto quit
:splain echo Call this script with a parameter indicating a file or folder name. echo. echo e.g. ScanOnly c:\temp\hostile.exe :quit