Re: [Declude.Virus] High CPU F-Prot
I saw F-Prot time out 3 times today in my logs, and I can't remember that ever happening before. McAfee didn't time out once, and that's usually the first to go. Maybe this explains the issue. I think it's time to so some performance monitoring to see what is up. Matt Darrell ([EMAIL PROTECTED]) wrote: In the last 24 hours I have seen F-Prot start to use an excessive amount of CPU. Normally it very rarely shows up in task manager and now it has been using a considerable amount of CPU. Thoughts? Darrell Comprehensive Declude Virus and Junkmail reporting with DLAnalyzer - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] High CPU F-Prot
11:59pm here so it's not a good time to watch the cpu usage as most people has leaved the office some hours ago. Time to say good night for me too after haven't seen anything strange with f-prot on my server at the moment. |-) Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matt > Sent: Wednesday, April 27, 2005 11:53 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] High CPU F-Prot > > I saw F-Prot time out 3 times today in my logs, and I can't > remember that ever happening before. McAfee didn't time out > once, and that's usually the first to go. Maybe this > explains the issue. I think it's time to so some performance > monitoring to see what is up. > > Matt > > > > Darrell ([EMAIL PROTECTED]) wrote: > > > In the last 24 hours I have seen F-Prot start to use an excessive > > amount of CPU. Normally it very rarely shows up in task > manager and > > now it has been using a considerable amount of CPU. > > Thoughts? > > Darrell > > > > Comprehensive Declude Virus and Junkmail reporting with > DLAnalyzer - > > http://www.invariantsystems.com > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > = > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] High CPU F-Prot
I've seen no change in the cpu usage on my F-Prot implementation of Declude Virus. My server picked up the most recent update an hour ago, so that may be important to you. In checking that I was confused, because the time stamp hadn't been hit yet. From viewing all three date columns in Explorer, it looks like they are publishing their MODIFIED timestamp in UTC. I don't know if this is territory that is already well-trod, but I recently stopped using the F-Prot Updater in their Scheduler. I keep a user logged in anyway, but this was too interactive, and with relatively frequent incidents where the scheduler failed to update and notified the logged in user, I was sure that I was missing updates until the resulting message boxes were cleared. I followed: http://www.f-prot.com/support/windows/fpwin_faq/88.html And it's working great. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, April 27, 2005 2:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] High CPU F-Prot In the last 24 hours I have seen F-Prot start to use an excessive amount of CPU. Normally it very rarely shows up in task manager and now it has been using a considerable amount of CPU. Thoughts? Darrell Comprehensive Declude Virus and Junkmail reporting with DLAnalyzer - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] High CPU F-Prot
th EXE extension [application/octet-stream]. 04/27/2005 17:50:31 Q08DE5B0200CC296E ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating. 04/27/2005 17:50:32 Q08DE5B0200CC296E Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=test.exe [0] O 04/27/2005 17:50:32 Q08DE5B0200CC296E File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/27/2005 17:50:32 Q08DE5B0200CC296E Deleting file with virus 04/27/2005 17:50:32 Q08DE5B0200CC296E Deleting E-mail with virus! 04/27/2005 17:50:32 Q08DE5B0200CC296E Scanned: CONTAINS A VIRUS [MIME: 2 64690] 04/27/2005 17:50:32 Q08DE5B0200CC296E From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/27/2005 17:50:32 Q08DE5B0200CC296E Subject: Hello 04/27/2005 17:50:29 Q08E35B0200CC2989 MIME file: file.zip [base64; Length=64774 Checksum=7891080] 04/27/2005 17:50:59 Q08E35B0200CC2989 ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating. 04/27/2005 17:51:01 Q08E35B0200CC2989 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/27/2005 17:51:01 Q08E35B0200CC2989 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/27/2005 17:51:01 Q08E35B0200CC2989 Deleting file with virus 04/27/2005 17:51:01 Q08E35B0200CC2989 Deleting E-mail with virus! 04/27/2005 17:51:01 Q08E35B0200CC2989 Scanned: CONTAINS A VIRUS [MIME: 2 64952] 04/27/2005 17:51:01 Q08E35B0200CC2989 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/27/2005 17:51:01 Q08E35B0200CC2989 Subject: Vzvqvwnocdebkj Markus Gufler wrote: 11:59pm here so it's not a good time to watch the cpu usage as most people has leaved the office some hours ago. Time to say good night for me too after haven't seen anything strange with f-prot on my server at the moment. |-) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, April 27, 2005 11:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot I saw F-Prot time out 3 times today in my logs, and I can't remember that ever happening before. McAfee didn't time out once, and that's usually the first to go. Maybe this explains the issue. I think it's time to so some performance monitoring to see what is up. Matt Darrell ([EMAIL PROTECTED]) wrote: In the last 24 hours I have seen F-Prot start to use an excessive amount of CPU. Normally it very rarely shows up in task manager and now it has been using a considerable amount of CPU. Thoughts? Darrell Comprehensive Declude Virus and Junkmail reporting with DLAnalyzer - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] High CPU F-Prot
Matt, What version of F-Prot are you using? Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Wednesday, April 27, 2005 6:57 PM Subject: Re: [Declude.Virus] High CPU F-Prot I did some monitoring and fpcmd.exe isn't normally causing excessive load and it's completely updated. On the other hand, I have seen now 9 different timeouts for F-Prot on my system today, and every timeout for F-Prot was for a message that McAfee detected as a virus. There are two possibilities here that I can think of. The most obvious would be that this variant of Mytob is causing issues with F-Prot, possibly targeting a bug in the app that we don't know about. The second issue might be related to the fact that I upgraded last night from 1.82 and so I can't rule that out, but I'm leaning heavily towards F-Prot having issues. Looks like yet another F-Prot hiccup... 4/27/2005 01:32:09 Q23D834BB010C8222 MIME file: file.zip [base64; Length=50820 Checksum=6317600]04/27/2005 01:32:39 Q23D834BB010C8222 ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 01:32:42 Q23D834BB010C8222 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/27/2005 01:32:42 Q23D834BB010C8222 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 01:32:42 Q23D834BB010C8222 Deleting file with virus04/27/2005 01:32:42 Q23D834BB010C8222 Deleting E-mail with virus!04/27/2005 01:32:42 Q23D834BB010C8222 Scanned: CONTAINS A VIRUS [MIME: 2 50998]04/27/2005 01:32:42 Q23D834BB010C8222 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/27/2005 01:32:42 Q23D834BB010C8222 Subject: Mail Delivery System04/27/2005 01:32:34 Q23F1665600C08266 MIME file: document.zip [base64; Length=50828 Checksum=6318531]04/27/2005 01:33:04 Q23F1665600C08266 ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 01:33:06 Q23F1665600C08266 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/27/2005 01:33:06 Q23F1665600C08266 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 01:33:06 Q23F1665600C08266 Deleting file with virus04/27/2005 01:33:06 Q23F1665600C08266 Deleting E-mail with virus!04/27/2005 01:33:06 Q23F1665600C08266 Scanned: CONTAINS A VIRUS [MIME: 2 51075]04/27/2005 01:33:06 Q23F1665600C08266 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/27/2005 01:33:06 Q23F1665600C08266 Subject: Good day04/27/2005 12:53:45 QC34F126601208E36 MIME file: readme.zip [base64; Length=60534 Checksum=7436894]04/27/2005 12:54:15 QC34F126601208E36 ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 12:54:16 QC34F126601208E36 Scanner 2: Virus=the Attachment= [0] O04/27/2005 12:54:16 QC34F126601208E36 File(s) are INFECTED [the : 13]04/27/2005 12:54:16 QC34F126601208E36 Deleting file with virus04/27/2005 12:54:16 QC34F126601208E36 Deleting E-mail with virus!04/27/2005 12:54:16 QC34F126601208E36 Scanned: CONTAINS A VIRUS [MIME: 2 60735]04/27/2005 12:54:16 QC34F126601208E36 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/27/2005 12:54:16 QC34F126601208E36 Subject: MAIL TRANSACTION FAILED04/27/2005 15:01:22 QE18023A80136D4FB MIME file: message.pif [base64; Length=68608 Checksum=8328934]04/27/2005 15:01:22 QE18023A80136D4FB Banning file with PIF extension [application/octet-stream].04/27/2005 15:01:52 QE18023A80136D4FB ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 15:01:54 QE18023A80136D4FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=message.pif [0] O04/27/2005 15:01:54 QE18023A80136D4FB Invalid PIF Vulnerability04/27/2005 15:01:54 QE18023A80136D4FB Found a bogus .pif file04/27/2005 15:01:54 QE18023A80136D4FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 15:01:54 QE18023A80136D4FB Deleting file with virus04/27/2005 15:01:54 QE18023A80136D4FB Deleting E-mail with virus!04/27/2005 15:01:54 QE18023A80136D4FB Scanned: CONTAINS A VIRUS [MIME: 2 68855]04/27/2005 15:01:54 QE18023A80136D4FB From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/27/2005 15:01:54 QE18023A80136D4FB Subject: hello04/27/2005 15:03:07 QE1E8CDE50080D601 MIME file: document.zip [base64; Length=68878 Checksum=8339217]04/27/2005 15:03:37 QE1E8CDE50080D601 ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/20
RE: [Declude.Virus] High CPU F-Prot
ile(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 15:01:54 QE18023A80136D4FB Deleting file with virus04/27/2005 15:01:54 QE18023A80136D4FB Deleting E-mail with virus!04/27/2005 15:01:54 QE18023A80136D4FB Scanned: CONTAINS A VIRUS [MIME: 2 68855]04/27/2005 15:01:54 QE18023A80136D4FB From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/27/2005 15:01:54 QE18023A80136D4FB Subject: hello04/27/2005 15:03:07 QE1E8CDE50080D601 MIME file: document.zip [base64; Length=68878 Checksum=8339217]04/27/2005 15:03:37 QE1E8CDE50080D601 ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 15:03:38 QE1E8CDE50080D601 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/27/2005 15:03:38 QE1E8CDE50080D601 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 15:03:38 QE1E8CDE50080D601 Deleting file with virus04/27/2005 15:03:38 QE1E8CDE50080D601 Deleting E-mail with virus!04/27/2005 15:03:38 QE1E8CDE50080D601 Scanned: CONTAINS A VIRUS [MIME: 2 70364]04/27/2005 15:03:38 QE1E8CDE50080D601 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/27/2005 15:03:38 QE1E8CDE50080D601 Subject: hello04/27/2005 17:50:01 Q08DE5B0200CC296E MIME file: test.exe [base64; Length=64512 Checksum=7880003]04/27/2005 17:50:01 Q08DE5B0200CC296E Banning file with EXE extension [application/octet-stream].04/27/2005 17:50:31 Q08DE5B0200CC296E ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 17:50:32 Q08DE5B0200CC296E Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=test.exe [0] O04/27/2005 17:50:32 Q08DE5B0200CC296E File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 17:50:32 Q08DE5B0200CC296E Deleting file with virus04/27/2005 17:50:32 Q08DE5B0200CC296E Deleting E-mail with virus!04/27/2005 17:50:32 Q08DE5B0200CC296E Scanned: CONTAINS A VIRUS [MIME: 2 64690]04/27/2005 17:50:32 Q08DE5B0200CC296E From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47]04/27/2005 17:50:32 Q08DE5B0200CC296E Subject: Hello04/27/2005 17:50:29 Q08E35B0200CC2989 MIME file: file.zip [base64; Length=64774 Checksum=7891080]04/27/2005 17:50:59 Q08E35B0200CC2989 ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 17:51:01 Q08E35B0200CC2989 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/27/2005 17:51:01 Q08E35B0200CC2989 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 17:51:01 Q08E35B0200CC2989 Deleting file with virus04/27/2005 17:51:01 Q08E35B0200CC2989 Deleting E-mail with virus!04/27/2005 17:51:01 Q08E35B0200CC2989 Scanned: CONTAINS A VIRUS [MIME: 2 64952]04/27/2005 17:51:01 Q08E35B0200CC2989 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47]04/27/2005 17:51:01 Q08E35B0200CC2989 Subject: VzvqvwnocdebkjMarkus Gufler wrote: 11:59pm here so it's not a good time to watch the cpu usage as most people has leaved the office some hours ago. Time to say good night for me too after haven't seen anything strange with f-prot on my server at the moment. |-) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, April 27, 2005 11:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot I saw F-Prot time out 3 times today in my logs, and I can't remember that ever happening before. McAfee didn't time out once, and that's usually the first to go. Maybe this explains the issue. I think it's time to so some performance monitoring to see what is up. Matt Darrell ([EMAIL PROTECTED]) wrote: In the last 24 hours I have seen F-Prot start to use an excessive amount of CPU. Normally it very rarely shows up in task manager and now it has been using a considerable amount of CPU. Thoughts? Darrell Comprehensive Declude Virus and Junkmail reporting with DLAnalyzer - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus ma
Re: [Declude.Virus] High CPU F-Prot
Title: Message
I'm running 3.16b, the most current version, and today's most recent
definitions.
I don't believe those errors are related What you pointed out is just
the heavy load multiple processing bug, and it would seemingly scan for
viruses properly on the first pass. All of my errors occurred during
heavy load as far as I can tell. For some reason I've been getting
slammed harder and harder over the last two weeks. I still have some
domains that aren't being validated and the dictionary attacks on them
are getting worse it seems. It's very odd and quite bursty, but I
digress.
I'm thinking that this is an F-Prot issue. While they always occur
during heavy load, they also all occurred on files that McAfee detected
as a virus. I would think that if it was completely load related or
caused by something else, McAfee wouldn't be even close to 9 for 9 in
detecting these as viruses. The dependency on heavy load however
suggests something else since there is also a 9 for 9 dependency
there. I should probably mention that I am testing a fix for the
multiple-processing issue, so this might be unique to just my system.
This is also the first time that I upgraded from 1.82, so I am watching
my logs carefully. Everything else seems hunky-dory. If it's F-Prot
that is causing the issue, I would imagine that it should disappear
soon. I would expect that others would also see some of the same.
Matt
Colbeck, Andrew wrote:
Hmm, it won't help any directly, but I can tell
you that I've had zero instances of this timeout error so far this
month.
For what it's worth, the only errors in my
vir04??.log file are all about double-scanning by Declude (for a
message with a single addressee). I see timestamps with the Declude
JunkMail entries, then the Virus entries (clean), then the same lines
in Declude again (but 35 seconds later) and then the Virus entry
indicates
4/26/2005 09:40:26 Q6C323086024ED01A Error
opening mime file D:\IMAIL\SPOOL\D6C323086024ED01A.SMD
4/26/2005 09:40:26 Q6C323086024ED01A Scanned: Error starting scanner
This has happened 10 times in 140,000 unique*
messages. Each of those ten times was during the server's peak period.
Andrew 8)
I measured unique messages, not recipients, i.e.
for %i in (vir04??.log) do @gawk "{print $3}" %i
| usort | uniq | wc -l
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Wednesday, April 27, 2005 3:58 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot
I did some monitoring and fpcmd.exe isn't normally causing excessive
load and it's completely updated. On the other hand, I have seen now 9
different timeouts for F-Prot on my system today, and every timeout for
F-Prot was for a message that McAfee detected as a virus. There are
two possibilities here that I can think of. The most obvious would be
that this variant of Mytob is causing issues with F-Prot, possibly
targeting a bug in the app that we don't know about. The second issue
might be related to the fact that I upgraded last night from 1.82 and
so I can't rule that out, but I'm leaning heavily towards F-Prot having
issues. Looks like yet another F-Prot hiccup...
4/27/2005 01:32:09 Q23D834BB010C8222 MIME file:
file.zip [base64; Length=50820 Checksum=6317600]
04/27/2005 01:32:39 Q23D834BB010C8222 ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 01:32:42 Q23D834BB010C8222 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/27/2005 01:32:42 Q23D834BB010C8222 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/27/2005 01:32:42 Q23D834BB010C8222 Deleting file with virus
04/27/2005 01:32:42 Q23D834BB010C8222 Deleting E-mail with virus!
04/27/2005 01:32:42 Q23D834BB010C8222 Scanned: CONTAINS A VIRUS [MIME:
2 50998]
04/27/2005 01:32:42 Q23D834BB010C8222 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/27/2005 01:32:42 Q23D834BB010C8222 Subject: Mail Delivery System
04/27/2005 01:32:34 Q23F1665600C08266 MIME file: document.zip [base64;
Length=50828 Checksum=6318531]
04/27/2005 01:33:04 Q23F1665600C08266 ERROR: Virus scanner 1 didn't
finish after 30 seconds; terminating.
04/27/2005 01:33:06 Q23F1665600C08266 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/27/2005 01:33:06 Q23F1665600C08266 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/27/2005 01:33:06 Q23F1665600C08266 Deleting file with virus
04/27/2005 01:33:06 Q23F1665600C08266 Deleting E-mail with virus!
04/27/2005 01:33:06 Q23F1665600C08266 Scanned: CONTAINS A VIRUS [MIME:
2 51075]
04/27/2005 01:33:06 Q23F1665600C08266 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/27/2005 01:33:06 Q23F1665600C08266 Subject: Good day
04/
Re: [Declude.Virus] High CPU F-Prot
After further review, I'm pretty sure that there is an F-Prot issue going on here. My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. --- 9 second gap where F-Prot scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often because I have my timeout set to 30 seconds instead of 60 seconds, and I had very heavy load for much of the day yesterday. If others are running two virus scanners including F-Prot, it would help to confirm my findings by searching for a hit on the second virus scanner hitting, but F-Prot missing and also taking several seconds or more to return a result. If you search your logs for "Could not find parse string Infection: in report.txt", it might help to narrow down the results. I even tested with McAfee run first and then F-Prot and these messages would still appear when F-Prot didn't detect anything and McAfee did. Here's an example with McAfee run first, detected a virus, and then F-Prot took it's time, generated a report.txt file but didn't return a virus result code: 04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64; Length=56434 Checksum=6987682] 04/28/2005 01:37:51 Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O --- 7 second gap wh
RE: [Declude.Virus] High CPU F-Prot
Matt, how do you search for this F-Prot space gaps? As I can see from your log snippets there is each time a "could not find parse string" after the space gap Searching my logfile for this phrase I can find around 10 of them, but always as the first log entry of a processed message. So I can't determine if there is a space gap or not. Each of this log lines is for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in this case) I've still in use F-prot 3.15 not 3.16 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 6:57 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot After further review, I'm pretty sure that there is an F-Prot issue going on here.My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396]04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream].--- 6 second gap where F-Prot scans message ---04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788]04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47]04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560]--- 4 second gap where F-Prot scans message ---04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus!04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245]04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream].--- 9 second gap where F-Prot scans message ---04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus!04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551]04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good dayI'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus.I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often because I have my timeout
Re: [Declude.Virus] High CPU F-Prot
Markus,
Take the spool file name corresponding to the "could not find parse
string" and look above it for the beginning of the log entries for that
file. You might think that this is the first entry for that message,
but it appears that there is a gap in time and you aren't finding the
first entries. Your entries should look the same or similar to mine.
The first entry for each such message that passes PRESCAN will start
with the "MIME file" line. It seems likely that you are experiencing
the same thing.
Matt
Markus Gufler wrote:
Matt,
how do you search for this
F-Prot space gaps?
As I can see from your log
snippets there is each time a "could not find parse string" after the
space gap
Searching my logfile for this
phrase I can find around 10 of them, but always as the first log entry
of a processed message. So I can't determine if there is a space gap or
not. Each of this log lines is for F_prot while Scanner2 Mcafee is
detecting a virus (Netsky, Bagle, ... but no Mytob in this case)
I've still in use F-prot 3.15
not 3.16
Markus
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Thursday, April 28, 2005 6:57 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot
After further review, I'm pretty sure that there is an F-Prot issue
going on here.
My server hasn't been hitting 100% yet today, and I also haven't seen
any F-Prot timeouts, however I have found more compelling evidence that
there is an issue with F-Prot that would probably lead to timeouts if
the load was heavy while some messages were scanned. I searched my
logs today for examples of where McAfee found Mytob, but F-Prot didn't
detect anything. There were a fair number of examples, and in every
one, F-Prot took an uncharacteristically long time to scan the file.
Here are three examples that are marked with the gap corresponding to
the F-Prot delays:
04/28/2005 05:49:04 QB18D740700A83968 MIME file:
document.scr [base64; Length=52224 Checksum=6533396]
04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability
04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension
[application/octet-stream].
--- 6 second gap where F-Prot scans message ---
04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string
Infection: in report.txt
04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=document.scr [0] O
04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus
04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!
04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME:
2 54788]
04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 12.152.254.47]
04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED
04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64;
Length=55408 Checksum=6875560]
--- 4 second gap where F-Prot scans message ---
04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string
Infection: in report.txt
04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment= [0] O
04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus
04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus!
04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME:
2 55605]
04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello
04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64;
Length=56320 Checksum=6982245]
04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability
04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension
[application/octet-stream].
--- 9 second gap where F-Prot scans message ---
04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string
Infection: in report.txt
04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=data.scr [0] O
04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus
04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus!
04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME:
2 56551]
04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[outgoing from 208.7.179.200]
04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day
I'm virtually certain that this is what was happening yesterday, but
under heavier load, F-Prot was tak
Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: > " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick > 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr > [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 > QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 > QB18D740700A83968 Banning file with SCR extension > [application/octet-stream]. --- 6 second gap where F-Prot scans > message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find > parse string Infection: in report.txt 04/28/2005 05:49:11 > QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment=document.scr [0] O 04/28/2005 05:49:11 > QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] > 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus > 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! > 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS > [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL > TRANSACTION FAILED > > 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; > Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans > message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find > parse string Infection: in report.txt 04/28/2005 09:09:46 > QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) > are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 > QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 > QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 > QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] > 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: > hello > > 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; > Length=56320 Checksum=6982245] 04/28/2005 09:47:55 > QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 > QE98BF4DC00DA98FB Banning file with SCR extension > [application/octet-stream]. --- 9 second gap where F-Prot scans > message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find > parse string Infection: in report.txt 04/28/2005 09:48:05 > QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB > File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 > 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good > day > I'm virtually certain that this is what was happening yesterday, but > under heavier load, F-Prot was taking longer to scan the messages than > the 30 seconds that I allow it to. There are no other long delays like > this that I can find. F-Prot based on past testing should detect a > typical virus in 100 ms on my system, but it is not only taking much > more time to scan a very small file, it is also missing the virus. > > I suspect that this is happening on other systems, but the timeout > issue probably wasn't seen as often because I have my timeout set to > 30 seconds instead of 60 seconds, and I had very heavy load for much > of the day yesterday. If others are running two virus scanners > including F-Prot, it would help to confirm my findings by searching > for a hit on the second virus scanner hitting, but F-Prot missing and > also taking several seconds or more to return a result. > > If you search your logs for "Could not find parse string Infection: in > report.txt", it might help to narrow down the results. I even tested > with McAfee run first and then F-Prot and these messages would still > appear when F-Prot didn't detect anything and McAfee did. Here's an > example with McAfee run first, detected a virus, and then F- Prot took > it's time, generated a report.txt file but didn't return a virus > result code: > 04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64; > Length=56434 Checksum=6987682] 04/28/2005 01:37:51 > Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PRO
RE: [Declude.Virus] High CPU F-Prot
No I've checked this already before: there is no appearance of the spool file name above this line. All I can see is something like 04/28/2005 08:00:13 Q7be703950112a342 Could not find parse string Infection: in report.txt04/28/2005 08:00:13 Q7be703950112a342 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=Cat.zip [40] I04/28/2005 08:00:13 Q7be703950112a342 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 13]04/28/2005 08:00:13 Q7be703950112a342 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 25955]04/28/2005 08:00:13 Q7be703950112a342 From: [Forged] To: [EMAIL PROTECTED] [incoming from x.x.x.x]04/28/2005 08:00:13 Q7be703950112a342 Subject: Re: Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 7:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Markus,Take the spool file name corresponding to the "could not find parse string" and look above it for the beginning of the log entries for that file. You might think that this is the first entry for that message, but it appears that there is a gap in time and you aren't finding the first entries. Your entries should look the same or similar to mine. The first entry for each such message that passes PRESCAN will start with the "MIME file" line. It seems likely that you are experiencing the same thing.MattMarkus Gufler wrote: Matt, how do you search for this F-Prot space gaps? As I can see from your log snippets there is each time a "could not find parse string" after the space gap Searching my logfile for this phrase I can find around 10 of them, but always as the first log entry of a processed message. So I can't determine if there is a space gap or not. Each of this log lines is for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in this case) I've still in use F-prot 3.15 not 3.16 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 6:57 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtAfter further review, I'm pretty sure that there is an F-Prot issue going on here.My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396]04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream].--- 6 second gap where F-Prot scans message ---04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788]04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47]04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560]--- 4 second gap where F-Prot scans message ---04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus!04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PRO
Re: [Declude.Virus] High CPU F-Prot
Matt, I am seeing the same thing - but my server (this one) is way more loaded than it should. Scanner 2 is F-Prot as you can see there is an excessive amount of time when this issue occurs. It was so bad that I ended up disabling F-Prot until I can get to the bottom of this. Darrell 04/27/2005 01:33:51 Q24299D44015460F4 MIME file: readme.zip [base64; Length=56586 Checksum=6993656] 04/27/2005 01:33:51 Q24299D44015460F4 Banning file readme.zip. 04/27/2005 01:33:51 Q24299D44015460F4 Forging virus found: Likely forged sender was [EMAIL PROTECTED] 04/27/2005 01:33:51 Q24299D44015460F4 Scanner 1: Virus= the W32/[EMAIL PROTECTED] Attachment= [12] O 04/27/2005 01:34:39 Q24299D44015460F4 Could not find parse string Infection: in report.txt 04/27/2005 01:34:39 Q24299D44015460F4 File(s) are INFECTED [ the W32/[EMAIL PROTECTED]: 8] Darrell Matt writes: After further review, I'm pretty sure that there is an F-Prot issue going on here. My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. *--- 6 second gap where F-Prot scans message ---* 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] *--- 4 second gap where F-Prot scans message ---* 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. *--- 9 second gap where F-Prot scans message ---* 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the t
RE: [Declude.Virus] High CPU F-Prot
The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: > " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick > 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr > [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 > QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 > QB18D740700A83968 Banning file with SCR extension > [application/octet-stream]. --- 6 second gap where F-Prot scans > message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find > parse string Infection: in report.txt 04/28/2005 05:49:11 > QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment=document.scr [0] O 04/28/2005 05:49:11 > QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] > 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus > 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! > 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS > [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL > TRANSACTION FAILED > > 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; > Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans > message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find > parse string Infection: in report.txt 04/28/2005 09:09:46 > QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) > are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 > QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 > QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 > QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] > 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: > hello > > 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; > Length=56320 Checksum=6982245] 04/28/2005 09:47:55 > QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 > QE98BF4DC00DA98FB Banning file with SCR extension > [application/octet-stream]. --- 9 second gap where F-Prot scans > message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find > parse string Infection: in report.txt 04/28/2005 09:48:05 > QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] > Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB > File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 > 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: > [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from > 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good > day > I'm virtually certain that this is what was happening yesterday, but > under heavier load, F-Prot was taking longer to scan the messages than > the 30 seconds that I allow it to. There are no other long delays like > this that I can find. F-Prot based on past testing should detect a > typical virus in 100 ms on my system, but it is not only taking much > more time to scan a very small file, it is also missing the virus. > > I suspect that this is happening on other systems, but the timeout > issue probably wasn't seen as often because I have my timeout set to > 30 seconds instead of 60 seconds, and I had very heavy load for much > of the day yesterday. If others are running two virus scanners > including F-Prot, it would
Re: [Declude.Virus] High CPU F-Prot
Nick, Thanks for the reply, but I think you missed part of the discussion. This is an F-Prot issue. Also, regardless of not finding a parse string in report.txt, F-Prot isn't throwing one of the three codes that people around here consider to be a virus, i.e. 3, 6 or 8. If it threw that code, Declude would pick it up as a virus tagged by F-Prot regardless of what the report.txt showed. The Report.txt is only used for identifying the virus, but in this case it is a clue that tells us that F-Prot is probably throwing an error of some sort since this file is being generated and shouldn't otherwise be. Matt Nick wrote: On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. --- 9 second gap where F-Prot scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often because I have my timeout set to 30 seconds instead of 60 seconds, and I had very heavy load for much of the day yesterday. If others are running two virus scanners including F-Prot, it would help to confirm my findings by searching for a hit on the second virus scanner hitting, but F-Prot missing and also taking several seconds or more to return a result. If you search your logs for "Could not find parse string Infection: in report.txt", it migh
Re: [Declude.Virus] High CPU F-Prot
Markus, It's there (or should be). Search for "Q7be703950112a342" appearing before this block and you should find at least one line corresponding to the message. BTW, I just looked at an old log file from April 11th using Declude 1.82, and F-Prot was experiencing the same sorts of delays with the same characteristics. Seems like a pretty serious and longer-term issue with F-Prot. Matt Markus Gufler wrote: No I've checked this already before: there is no appearance of the spool file name above this line. All I can see is something like 04/28/2005 08:00:13 Q7be703950112a342 Could not find parse string Infection: in report.txt 04/28/2005 08:00:13 Q7be703950112a342 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=Cat.zip [40] I 04/28/2005 08:00:13 Q7be703950112a342 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 13] 04/28/2005 08:00:13 Q7be703950112a342 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 25955] 04/28/2005 08:00:13 Q7be703950112a342 From: [Forged] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 04/28/2005 08:00:13 Q7be703950112a342 Subject: Re: Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, April 28, 2005 7:28 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot Markus, Take the spool file name corresponding to the "could not find parse string" and look above it for the beginning of the log entries for that file. You might think that this is the first entry for that message, but it appears that there is a gap in time and you aren't finding the first entries. Your entries should look the same or similar to mine. The first entry for each such message that passes PRESCAN will start with the "MIME file" line. It seems likely that you are experiencing the same thing. Matt Markus Gufler wrote: Matt, how do you search for this F-Prot space gaps? As I can see from your log snippets there is each time a "could not find parse string" after the space gap Searching my logfile for this phrase I can find around 10 of them, but always as the first log entry of a processed message. So I can't determine if there is a space gap or not. Each of this log lines is for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in this case) I've still in use F-prot 3.15 not 3.16 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, April 28, 2005 6:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot After further review, I'm pretty sure that there is an F-Prot issue going on here. My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 1
Re: [Declude.Virus] High CPU F-Prot
Andrew, If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned. If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm. F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?). Matt Colbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. --- 9 second gap where F-Prot scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yester
RE: [Declude.Virus] High CPU F-Prot
no absolutely no trace of the spool filename before the "parse string" line. I've checked now multiple cases in todays logfile Note: F-prot is my first, Mcafee my second scanner. F-Prot 3.15 not 3.16 I've PRESCAN ON in my virus.cfg line bye Markus (have to leave the office now) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 7:48 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Markus,It's there (or should be). Search for "Q7be703950112a342" appearing before this block and you should find at least one line corresponding to the message.BTW, I just looked at an old log file from April 11th using Declude 1.82, and F-Prot was experiencing the same sorts of delays with the same characteristics. Seems like a pretty serious and longer-term issue with F-Prot.MattMarkus Gufler wrote: No I've checked this already before: there is no appearance of the spool file name above this line. All I can see is something like 04/28/2005 08:00:13 Q7be703950112a342 Could not find parse string Infection: in report.txt04/28/2005 08:00:13 Q7be703950112a342 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=Cat.zip [40] I04/28/2005 08:00:13 Q7be703950112a342 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 13]04/28/2005 08:00:13 Q7be703950112a342 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 25955]04/28/2005 08:00:13 Q7be703950112a342 From: [Forged] To: [EMAIL PROTECTED] [incoming from x.x.x.x]04/28/2005 08:00:13 Q7be703950112a342 Subject: Re: Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 7:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtMarkus,Take the spool file name corresponding to the "could not find parse string" and look above it for the beginning of the log entries for that file. You might think that this is the first entry for that message, but it appears that there is a gap in time and you aren't finding the first entries. Your entries should look the same or similar to mine. The first entry for each such message that passes PRESCAN will start with the "MIME file" line. It seems likely that you are experiencing the same thing.MattMarkus Gufler wrote: Matt, how do you search for this F-Prot space gaps? As I can see from your log snippets there is each time a "could not find parse string" after the space gap Searching my logfile for this phrase I can find around 10 of them, but always as the first log entry of a processed message. So I can't determine if there is a space gap or not. Each of this log lines is for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in this case) I've still in use F-prot 3.15 not 3.16 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 6:57 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtAfter further review, I'm pretty sure that there is an F-Prot issue going on here.My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396]04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream].--- 6 second gap where F-Prot scans message ---04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O04/28/2005 05:49:11
RE: [Declude.Virus] High CPU F-Prot
Title: Message Matt, no there is no related Q line in my log files above that error. And given the load on my server, there is no way to correlate a useful gap between my DECmmdd.log and VIRmmdd.log files; rather, I expect random gaps. Also, I've noticed that F-Prot has definitely leaked viruses, because they're caught on my internal Exchange servers. Whenever I notice this however, I've been able to attribute these to late pattern updates. I don't think my server has problem that you have, but I've certainly looked. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 10:58 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtAndrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).MattColbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. --- 9 second g
Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 13:50, Matt wrote: Sorry about being wrong on both counts.. but I was trying to help! -Nick > > Nick, > > Thanks for the reply, but I think you missed part of the > discussion.This is an F-Prot issue. Also, regardless of not finding a > parse string in report.txt, F-Prot isn't throwing one of the three > codes that people around here consider to be a virus, i.e. 3, 6 or 8. > If it threw that code, Declude would pick it up as a virus tagged by > F-Prot regardless of what the report.txt showed. The Report.txt is > only used for identifying the virus, but in this case it is a clue > that tells us that F-Prot is probably throwing an error of some sort > since this file is being generated and shouldn't otherwise be. > > Matt > > > > > Nick wrote: > On 28 Apr 2005 at 12:57, Matt wrote: > > Matt - > > If this becomes a real problem that you see and can monitor I > would revert back to an older scan.exe to eliminate the issue of > versions. > > This is a possible clue: > > " Could not find parse string Infection: in report.txt" > > What does this mean? > > Your virus.cfg needs a different setup parameter or report.txt > cannot be found? > > -Nick > > 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr > [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 > QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 > 05:49:04 QB18D740700A83968 Banning file with SCR extension > [application/octet-stream]. --- 6 second gap where F-Prot > scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could > not find parse string Infection: in report.txt 04/28/2005 > 05:49:11 QB18D740700A83968 Scanner 2: Virus=the > W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 > 05:49:11 QB18D740700A83968 File(s) are INFECTED [the > W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 > Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 > Deleting E-mail with virus! 04/28/2005 05:49:11 > QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] > 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 > 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED > > 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip > [base64; Length=55408 Checksum=6875560] --- 4 second gap where > F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 > Could not find parse string Infection: in report.txt > 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the > W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 > QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: > 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with > virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail > with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: > CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 > QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 > 09:09:46 QE095EDCB006E8802 Subject: hello > > 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr > [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 > QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 > 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension > [application/octet-stream]. --- 9 second gap where F-Prot > scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could > not find parse string Infection: in report.txt 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the > W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 > QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: > 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with > virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail > with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: > CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 > QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 > 09:48:05 QE98BF4DC00DA98FB Subject: Good day > I'm virtually certain that this is what was happening yesterday, > but under heavier load, F-Prot was taking longer to scan the > messages than the 30 seconds that I allow it to. There are no > other long delays like this that I can find. F-Prot based on past > testing should detect a typical virus in 100 ms on my system, but > it is not only taking much more time to scan a very small file, it > is also missing the virus. > > I suspect that t
Re: [Declude.Virus] High CPU F-Prot
Nick, I know. I sometimes don't read carefully myself :) Matt Nick wrote: On 28 Apr 2005 at 13:50, Matt wrote: Sorry about being wrong on both counts.. but I was trying to help! -Nick Nick, Thanks for the reply, but I think you missed part of the discussion.This is an F-Prot issue. Also, regardless of not finding a parse string in report.txt, F-Prot isn't throwing one of the three codes that people around here consider to be a virus, i.e. 3, 6 or 8. If it threw that code, Declude would pick it up as a virus tagged by F-Prot regardless of what the report.txt showed. The Report.txt is only used for identifying the virus, but in this case it is a clue that tells us that F-Prot is probably throwing an error of some sort since this file is being generated and shouldn't otherwise be. Matt Nick wrote: On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. --- 9 second gap where F-Prot scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often because
Re: [Declude.Virus] High CPU F-Prot
Title: Message
Markus and Andrew,
I think I have an idea as to possibly why. I run Declude Virus at
LOGLEVEL HIGH. Maybe you guys are logging at a different level. FYI,
the HIGH level doesn't produce an inordinate amount of data by any
means.
I went back to my oldest Virus log where I was also running Declude
1.82 and there are definitely a fair number of examples back then as
well, though this isn't a huge number in comparison to the total number
of viruses that are detected each day. Here's one example of a 10
second gap from April 1st running Declude 1.82 and both F-Prot and
McAfee, where McAfee tags the virus and F-Prot takes 10 seconds to
error.
04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file:
gsbfgwcjnx.bmp [base64; Length=1846 Checksum=281466]
04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file: Dog.zip [base64;
Length=26047 Checksum=3314327]
04/01/2005 14:37:00 Qa2dce53900ee9f9d Found encrypted .ZIP file
04/01/2005 14:37:00 Qa2dce53900ee9f9d Banning .ZIP file with encrypted
EXE extension.
--- 10 second gap while F-Prot scans ---
04/01/2005 14:37:10 Qa2dce53900ee9f9d Could not find parse string
Infection: in report.txt
04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=Dog.zip [0] O
04/01/2005 14:37:11 Qa2dce53900ee9f9d File(s) are INFECTED [the
W32/[EMAIL PROTECTED]: 13]
04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting file with virus
04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting E-mail with virus!
04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanned: CONTAINS A VIRUS
[Prescan OK][MIME: 3 28098]
04/01/2005 14:37:11 Qa2dce53900ee9f9d From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200]
04/01/2005 14:37:11 Qa2dce53900ee9f9d Subject: Re:
Matt
Colbeck, Andrew wrote:
Matt, no there is no related Q line in my log
files above that error.
And given the load on my server, there is no way
to correlate a useful gap between my DECmmdd.log and VIRmmdd.log files;
rather, I expect random gaps.
Also, I've noticed that F-Prot has definitely
leaked viruses, because they're caught on my internal Exchange
servers. Whenever I notice this however, I've been able to attribute
these to late pattern updates.
I don't think my server has problem that you
have, but I've certainly looked.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Thursday, April 28, 2005 10:58 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot
Andrew,
If you are only using F-Prot, you should be able to find evidence of at
least the delays by searching for "Could not find parse string
Infection" and then checking for a gap above that point to where the
message began to be scanned.
If I'm correct about this, and it seems that I am, F-Prot has been
missing a fair number of viruses every day at least going back to April
11th. Their new scan engine, 3.16b was released back on March 7th and
this may be related, but I don't have logs going back past April to
confirm.
F-Prot users should all probably pay very close attention to this. I
haven't yet contacted F-Prot because I'm busy at this moment and this
was only just confirmed by someone else. I would have to say that
Scott would be quite useful in a situation like this because it
appeared that he had a line of contact with them (Scott, are you out
there?).
Matt
Colbeck, Andrew wrote:
The "could not parse" string occurs whenever F-Prot returns a result
that *isn't* equal to 3. Only return code 3 provides a string in the
result file that says "Infection: " followed by the virus name.
I'd like to help you out with this Matt, but with only one antivirus
scanner, I don't see the evidence of a space gap.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Sent: Thursday, April 28, 2005 10:29 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 12:57, Matt wrote:
Matt -
If this becomes a real problem that you see and can monitor I would
revert back to an older scan.exe to eliminate the issue of versions.
This is a possible clue:
" Could not find parse string Infection: in report.txt"
What does this mean?
Your virus.cfg needs a different setup parameter or report.txt cannot
be found?
-Nick
04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr
[base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04
QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04
QB18D740700A83968 Banning file with SCR extension
[application/octet-stream]. --- 6 second gap where F-Prot scans
message --- 04/28/2005 05:49:10 QB18D740700A83968 Could no
RE: [Declude.Virus] High CPU F-Prot
Using FProt only and this is NOT occuring on my machine:3 instances of "Could not find parse string Infection" in today's log and none have a gap, they are all hitting on VIRUSCODE 8 apparently:04/28/2005 00:07:59 Q619E01AA1367 MIME file: document.zip [base64; Length=142606 Checksum=17710290]04/28/2005 00:07:59 Q619E01AA1367 Could not find parse string Infection: in report.txt04/28/2005 00:07:59 Q619E01AA1367 File(s) are INFECTED [: 8]04/28/2005 00:07:59 Q619E01AA1367 Deleting file with virus04/28/2005 00:07:59 Q619E01AA1367 Deleting E-mail with virus!04/28/2005 00:07:59 Q619E01AA1367 Scanned: CONTAINS A VIRUS [MIME: 2 142806]04/28/2005 00:07:59 Q619E01AA1367 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 68.118.154.7]04/28/2005 00:07:59 Q619E01AA1367 Subject: HELLO 04/28/2005 00:35:56 Q682B01AA14BE MIME file: document.zip [base64; Length=142458 Checksum=17704773]04/28/2005 00:35:56 Q682B01AA14BE Could not find parse string Infection: in report.txt04/28/2005 00:35:56 Q682B01AA14BE File(s) are INFECTED [: 8]04/28/2005 00:35:56 Q682B01AA14BE Deleting file with virus04/28/2005 00:35:56 Q682B01AA14BE Deleting E-mail with virus!04/28/2005 00:35:56 Q682B01AA14BE Scanned: CONTAINS A VIRUS [MIME: 2 142636]04/28/2005 00:35:56 Q682B01AA14BE From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 68.118.154.7]04/28/2005 00:35:56 Q682B01AA14BE Subject: Status04/28/2005 10:34:47 QF48701991704 MIME file: body.zip [base64; Length=142598 Checksum=17709450]04/28/2005 10:34:47 QF48701991704 Could not find parse string Infection: in report.txt04/28/2005 10:34:47 QF48701991704 File(s) are INFECTED [: 8]04/28/2005 10:34:47 QF48701991704 Deleting file with virus04/28/2005 10:34:47 QF48701991704 Deleting E-mail with virus!04/28/2005 10:34:47 QF48701991704 Scanned: CONTAINS A VIRUS [MIME: 2 142775]04/28/2005 10:34:47 QF48701991704 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 68.118.154.7]04/28/2005 10:34:47 QF48701991704 Subject: Good day From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 1:58 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Andrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).MattColbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with vir
Re: [Declude.Virus] High CPU F-Prot
Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-ProtSCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6VIRUSCODE1 8VIRUSCODE1 9VIRUSCODE1 10REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875]04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted-printable; Length=10177 Checksum=774898]04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904]04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted-printable; Length=11036 Checksum=792412]04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990]04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0]04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522]04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 165.165.221.208]04/20/2005 11:53:30 Qa51fa9a300ec591e Subject:04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087]04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672]04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 752]04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit; Length=8334 Checksum=681405]04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] I didn't find a time gap in any of the "Could not find parse string Infection" log entries I found. Bill - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 10:58 AM Subject: Re: [Declude.Virus] High CPU F-Prot Andrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).MattColbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTEC
RE: [Declude.Virus] High CPU F-Prot
it seems to me that talking (or writting) is a good idea. why viruscode 9 and 10? Have I missed something? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, April 28, 2005 10:32 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-ProtSCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6VIRUSCODE1 8VIRUSCODE1 9VIRUSCODE1 10REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875]04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted-printable; Length=10177 Checksum=774898]04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904]04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted-printable; Length=11036 Checksum=792412]04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990]04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0]04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522]04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 165.165.221.208]04/20/2005 11:53:30 Qa51fa9a300ec591e Subject:04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087]04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672]04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 752]04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit; Length=8334 Checksum=681405]04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] I didn't find a time gap in any of the "Could not find parse string Infection" log entries I found. Bill - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 10:58 AM Subject: Re: [Declude.Virus] High CPU F-Prot Andrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).MattColbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D74
Re: [Declude.Virus] High CPU F-Prot
Bill,
I assume that this is probably resulting in an exit code of 9 or 10
then because I'm not using either at the moment, and you are the first
that I definitively know has them configured.
9 - At least one object was not scanned (encrypted file,
unsupported/unknown compression method, unsupported/unknown file
format, corrupted or invalid file).
10 - At lest one archive object was not scanned (contains more then N
levels of nested archives, as specified with -archive switch).
Since some of these are not zip files on my system, I am going to
assume that it is an exit code of 9 that is being spit out. A file
corruption might also explain the issues with F-Prot taking longer on
my system.
Anyway, I just started to not delete viruses so I should catch one of
these soon and then I can work at processing it manually to see what I
find.
Thanks for sharing. This was helpful.
Matt
Bill Landry wrote:
Matt, I searched 2 weeks of logs on
both of my servers (both of which run F-Prot and TrendMicro) and could
only find 4 instances of "Could not find parse string Infection", and
they were found on the server that is very heavily loaded. I use the
following F-Prot strings in my virus.cfg:
# F-Prot
SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB
-NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT
-REPORT=report.txt
VIRUSCODE1 3
VIRUSCODE1 6
VIRUSCODE1 8
VIRUSCODE1 9
VIRUSCODE1 10
REPORT1 Infection:
Here is a sample of what I find if I
parse for 5 lines before and after the target Q-ID:
04/20/2005 11:53:22
Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875]
04/20/2005 11:53:25 Qa523e08f00e25924 MIME file:
[text/html][quoted-printable; Length=10177 Checksum=774898]
04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2
11904]
04/20/2005 11:53:27 Qa510a96d00c4590a MIME file:
[text/html][quoted-printable; Length=11036 Checksum=792412]
04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2
14609]
04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit;
Length=52 Checksum=3520]
04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64;
Length=19404 Checksum=2507990]
04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string
Infection: in report.txt
04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0]
04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME:
2 19522]
04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
[incoming from 165.165.221.208]
04/20/2005 11:53:30 Qa51fa9a300ec591e Subject:
04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087]
04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672]
04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 752]
04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit;
Length=8334 Checksum=681405]
04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2
13549]
I didn't find a time gap in any of
the "Could not find parse string Infection" log entries I found.
Bill
-
Original Message -
From:
Matt
To:
Declude.Virus@declude.com
Sent:
Thursday, April 28, 2005 10:58 AM
Subject:
Re: [Declude.Virus] High CPU F-Prot
Andrew,
If you are only using F-Prot, you should be able to find evidence of at
least the delays by searching for "Could not find parse string
Infection" and then checking for a gap above that point to where the
message began to be scanned.
If I'm correct about this, and it seems that I am, F-Prot has been
missing a fair number of viruses every day at least going back to April
11th. Their new scan engine, 3.16b was released back on March 7th and
this may be related, but I don't have logs going back past April to
confirm.
F-Prot users should all probably pay very close attention to this. I
haven't yet contacted F-Prot because I'm busy at this moment and this
was only just confirmed by someone else. I would have to say that
Scott would be quite useful in a situation like this because it
appeared that he had a line of contact with them (Scott, are you out
there?).
Matt
Colbeck, Andrew wrote:
The "could not parse" string occurs whenever F-Prot returns a result
that *isn't* equal to 3. Only return code 3 provides a string in the
result file that says "Infection: " followed by the virus name.
I'd like to help you out with this Matt, but with only one antivirus
scanner, I don't see the evidence of a space gap.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Sent: Thursday, April 28, 2005 10:29 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 12:57, Matt wrote:
Matt -
If this b
RE: [Declude.Virus] High CPU F-Prot
Title: Message I'm using LOGLEVEL MID in my logfile so it must be this the cause of missing previous loglines. I've logfiles back to 03/2004 and have made some sporadic checks. This few "could not find parse" was there for over 10 months now. Due to the missing previous loglines I can't say if this was casued by a scanner timeout or not. As already sayd the second scanner is detecting Zafi, Bagle, Netsky ... so nothing special and also nothing new that would cause an exit code 8 from f-prot due to missing updated signatures. At least I can say that I haven't seen any case where the second scanner hasn't catched the virus Another aspect: Why declude should try to parse report.txt if the engine hasn't reported a virus with the exit code? Beside the problem that f-prot seems to use a lot of CPU I believe that it will not timeout but it will detect something but for whatever reason will not write the report.txt or a complete report.txt I believe also that /(P|M)ANALYZE could be a good reason for increased CPU usage, even if I can't explain why it should happen only for a few messages each day. Another idea: why not set up a declude virus configuration in a separate folder with or without the second scanner and test the hold message (by scanner2) again? It should be interesting if the same space gap can be reproduced or if we must search another reason for the sporadic appearance... good night from GMT+1 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 8:52 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Markus and Andrew,I think I have an idea as to possibly why. I run Declude Virus at LOGLEVEL HIGH. Maybe you guys are logging at a different level. FYI, the HIGH level doesn't produce an inordinate amount of data by any means.I went back to my oldest Virus log where I was also running Declude 1.82 and there are definitely a fair number of examples back then as well, though this isn't a huge number in comparison to the total number of viruses that are detected each day. Here's one example of a 10 second gap from April 1st running Declude 1.82 and both F-Prot and McAfee, where McAfee tags the virus and F-Prot takes 10 seconds to error. 04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file: gsbfgwcjnx.bmp [base64; Length=1846 Checksum=281466]04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file: Dog.zip [base64; Length=26047 Checksum=3314327]04/01/2005 14:37:00 Qa2dce53900ee9f9d Found encrypted .ZIP file04/01/2005 14:37:00 Qa2dce53900ee9f9d Banning .ZIP file with encrypted EXE extension.--- 10 second gap while F-Prot scans ---04/01/2005 14:37:10 Qa2dce53900ee9f9d Could not find parse string Infection: in report.txt04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=Dog.zip [0] O04/01/2005 14:37:11 Qa2dce53900ee9f9d File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting file with virus04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting E-mail with virus!04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 28098]04/01/2005 14:37:11 Qa2dce53900ee9f9d From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/01/2005 14:37:11 Qa2dce53900ee9f9d Subject: Re:MattColbeck, Andrew wrote: Matt, no there is no related Q line in my log files above that error. And given the load on my server, there is no way to correlate a useful gap between my DECmmdd.log and VIRmmdd.log files; rather, I expect random gaps. Also, I've noticed that F-Prot has definitely leaked viruses, because they're caught on my internal Exchange servers. Whenever I notice this however, I've been able to attribute these to late pattern updates. I don't think my server has problem that you have, but I've certainly looked. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 10:58 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtAndrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don
Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 16:44, Matt wrote: Hi Matt, > I assume that this is probably resulting in an exit code of 9 or 10 > then because I'm not using either at the moment, and you are the first > that I definitively know has them configured. I do not use these codes either - I had 4 "Could not find parse string Infection" in my logs today. The average delay was 4 seconds. Is the answer to add the additl exit codes or is there a downside to that? -Nick > 9 - At least one object was not scanned (encrypted file, > unsupported/unknown compression method, unsupported/unknown file > format, corrupted or invalid file). > > 10 - At lest one archive object was not scanned (contains more > then N levels of nested archives, as specified with -archive > switch). > Since some of these are not zip files on my system, I am going to > assume that it is an exit code of 9 that is being spit out. A file > corruption might also explain the issues with F-Prot taking longer on > my system. > > Anyway, I just started to not delete viruses so I should catch one of > these soon and then I can work at processing it manually to see what I > find. > > Thanks for sharing. This was helpful. > > Matt > > > > Bill Landry wrote: > Matt, I searched 2 weeks of logs on both of my servers (both of > which run F-Prot and TrendMicro) and could only find 4 instances > of "Could not find parse string Infection", and they were found on > the server that is very heavily loaded. I use the following F-Prot > strings in my virus.cfg: > > # F-Prot > SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB > -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT - > REPORT=report.txt > VIRUSCODE1 3 > VIRUSCODE1 6 > VIRUSCODE1 8 > VIRUSCODE1 9 > VIRUSCODE1 10 > REPORT1 Infection: > > Here is a sample of what I find if I parse for 5 lines before and > after the target Q-ID: > > 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 > 36875] 04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: > [text/html][quoted- printable; Length=10177 Checksum=774898] > 04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 > 11904] 04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: > [text/html][quoted- printable; Length=11036 Checksum=792412] > 04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 > 14609] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: > [text/html][7bit; Length=52 Checksum=3520] 04/20/2005 11:53:29 > Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 > Checksum=2507990] 04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find > parse string Infection: in report.txt 04/20/2005 11:53:30 > Qa51fa9a300ec591e File(s) are INFECTED [: 0] 04/20/2005 11:53:30 > Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522] 04/20/2005 > 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [incoming from 165.165.221.208] 04/20/2005 > 11:53:30 Qa51fa9a300ec591e Subject: 04/20/2005 11:53:32 > Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087] 04/20/2005 > 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672] > 04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 > 752] 04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: > [text/html][8bit; Length=8334 Checksum=681405] 04/20/2005 11:53:37 > Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] > > I didn't find a time gap in any of the "Could not find parse string > Infection" log entries I found. > > Bill > - Original Message - > From: Matt > To: Declude.Virus@declude.com > Sent: Thursday, April 28, 2005 10:58 AM > Subject: Re: [Declude.Virus] High CPU F-Prot > > Andrew, > > If you are only using F-Prot, you should be able to find evidence of > at least the delays by searching for "Could not find parse string > Infection" and then checking for a gap above that point to where the > message began to be scanned. > > If I'm correct about this, and it seems that I am, F-Prot has been > missing a fair number of viruses every day at least going back to > April 11th. Their new scan engine, 3.16b was released back on March > 7th and this may be related, but I don't have logs going back past > April to confirm. > > F-Prot users should all probably pay very close attention to this. I > haven't yet contacted F-Prot because I'm busy at this moment and this > was only just confirmed by someone else. I would have to say that > Scott would be quite useful in a situation like this because it > appeared that he had a line of contact with them (Scott, are you out > there?). > > Matt > >
RE: [Declude.Virus] High CPU F-Prot
I also have 9 and 10 configured, and as before, no
gap. The lines are coming with a result code of 8.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Thursday, April 28, 2005 4:44 PMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU
F-Prot
Bill,I assume that this is probably resulting in an exit
code of 9 or 10 then because I'm not using either at the moment, and you are
the first that I definitively know has them configured.
9 - At least one object was not scanned (encrypted file,
unsupported/unknown compression method, unsupported/unknown file format,
corrupted or invalid file).10 - At lest one archive object was not
scanned (contains more then N levels of nested archives, as specified with
-archive switch).Since some of these are not zip files on my
system, I am going to assume that it is an exit code of 9 that is being spit
out. A file corruption might also explain the issues with F-Prot taking
longer on my system.Anyway, I just started to not delete viruses so I
should catch one of these soon and then I can work at processing it manually
to see what I find.Thanks for sharing. This was
helpful.MattBill Landry wrote:
Matt, I searched 2 weeks of logs on both of my
servers (both of which run F-Prot and TrendMicro) and could only find 4
instances of "Could not find parse string Infection", and they were found on
the server that is very heavily loaded. I use the following F-Prot
strings in my virus.cfg:
#
F-ProtSCANFILE1
C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK
-NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT
-REPORT=report.txtVIRUSCODE1
3VIRUSCODE1
6VIRUSCODE1
8VIRUSCODE1
9VIRUSCODE1
10REPORT1
Infection:
Here is a sample of what I find if I parse for
5 lines before and after the target Q-ID:
04/20/2005 11:53:22 Qa51de08d00e25919 Scanned:
Virus Free [MIME: 3 36875]04/20/2005 11:53:25 Qa523e08f00e25924 MIME
file: [text/html][quoted-printable; Length=10177
Checksum=774898]04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus
Free [MIME: 2 11904]04/20/2005 11:53:27 Qa510a96d00c4590a MIME file:
[text/html][quoted-printable; Length=11036 Checksum=792412]04/20/2005
11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609]04/20/2005
11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52
Checksum=3520]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip
[base64; Length=19404 Checksum=2507990]04/20/2005 11:53:29
Qa51fa9a300ec591e Could not find parse string Infection: in
report.txt04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [:
0]04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME:
2 19522]04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from
165.165.221.208]04/20/2005 11:53:30 Qa51fa9a300ec591e
Subject:04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME:
1 2087]04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME:
1 672]04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1
752]04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit;
Length=8334 Checksum=681405]04/20/2005 11:53:37 Qa52ea9ab00ec592c
Scanned: Virus Free [MIME: 2 13549]
I didn't find a time gap in any of the "Could
not find parse string Infection" log entries I found.
Bill
-
Original Message -
From:
Matt
To:
Declude.Virus@declude.com
Sent:
Thursday, April 28, 2005 10:58 AM
Subject:
Re: [Declude.Virus] High CPU F-Prot
Andrew,If you are only using F-Prot, you should be
able to find evidence of at least the delays by searching for "Could not
find parse string Infection" and then checking for a gap above that point
to where the message began to be scanned.If I'm correct about
this, and it seems that I am, F-Prot has been missing a fair number of
viruses every day at least going back to April 11th. Their new scan
engine, 3.16b was released back on March 7th and this may be related, but
I don't have logs going back past April to confirm.F-Prot users
should all probably pay very close attention to this. I haven't yet
contacted F-Prot because I'm busy at this moment and this was only just
confirmed by someone else. I would have to say that Scott would be
quite useful in a situation like this because it appeared that he had a
line of contact with them (Scott, are you out
there?).MattColbeck, Andrew wrote:
The "could not parse" string
Re: [Declude.Virus] High CPU F-Prot
You should be fine with a second scanner. That's why we use them anyway. McAfee has caught every one of these that I have seen, and I've looked at about 40 examples so far. Many would fail banned extensions otherwise anyway. While you apparently could add another virus code to Declude for these situations (not yet verified), I'm worried that this is more of a general error and it could cause false positives. A corrupted file isn't what I would consider to be uncommon in legit E-mail, although the primary issue is that we only have once sentence with which to evaluate this exit code from F-Prot. Most Declude users that use only F-Prot are probably experiencing significant leakage of otherwise detectable viruses, and are also probably creating extra backscatter for banned extensions where no virus was detected. Besides that there's the fact that F-Prot is taking so long. It appears to also coincide with increased CPU utilization which might explain Darrell's experience, and in a different respect, mine yesterday with all of the F-Prot timeouts. This has been going on for at least a month. I assume that the increased time corresponds to not only keeping more Declude processes open, but also increased CPU utilization. Such a condition is ripe for exploiting, and I'm concerned that it has existed for so long without resolution, and maybe even detection... Matt Nick wrote: On 28 Apr 2005 at 16:44, Matt wrote: Hi Matt, I assume that this is probably resulting in an exit code of 9 or 10 then because I'm not using either at the moment, and you are the first that I definitively know has them configured. I do not use these codes either - I had 4 "Could not find parse string Infection" in my logs today. The average delay was 4 seconds. Is the answer to add the additl exit codes or is there a downside to that? -Nick 9 - At least one object was not scanned (encrypted file, unsupported/unknown compression method, unsupported/unknown file format, corrupted or invalid file). 10 - At lest one archive object was not scanned (contains more then N levels of nested archives, as specified with -archive switch). Since some of these are not zip files on my system, I am going to assume that it is an exit code of 9 that is being spit out. A file corruption might also explain the issues with F-Prot taking longer on my system. Anyway, I just started to not delete viruses so I should catch one of these soon and then I can work at processing it manually to see what I find. Thanks for sharing. This was helpful. Matt Bill Landry wrote: Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT - REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 VIRUSCODE1 9 VIRUSCODE1 10 REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875] 04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted- printable; Length=10177 Checksum=774898] 04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904] 04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted- printable; Length=11036 Checksum=792412] 04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990] 04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt 04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0] 04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522] 04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 165.165.221.208] 04/20/2005 11:53:30 Qa51fa9a300ec591e Subject: 04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087] 04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672] 04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 752] 04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit; Length=8334 Checksum=681405] 04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] I didn't find a time gap in any of the "Could not find parse string Infection" log entries I found. Bill - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 10:58 AM Sub
RE: [Declude.Virus] High CPU F-Prot
"apparently could add another virus code to Declude for these situations (not yet verified), " Oh, it's verified. As I said, I have been running VIRUSCODE 3,6,8,9 and 10 for at least two years now and not a single report from any customer that ANYthing caught as a virus was needed, meaning no false positives. We run close to a hundred client domains (all businesses) and see about 20,000 emails a day (the ones that get past our postfix gateway). There has never been a report of a VIRUSCODE 8 catching someone's Word document because of a macro or anything such. The recent rash of new viruses that were getting through other's Declude/Fprot configs never got a single one through mine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 5:24 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot You should be fine with a second scanner. That's why we use them anyway. McAfee has caught every one of these that I have seen, and I've looked at about 40 examples so far. Many would fail banned extensions otherwise anyway.While you apparently could add another virus code to Declude for these situations (not yet verified), I'm worried that this is more of a general error and it could cause false positives. A corrupted file isn't what I would consider to be uncommon in legit E-mail, although the primary issue is that we only have once sentence with which to evaluate this exit code from F-Prot.Most Declude users that use only F-Prot are probably experiencing significant leakage of otherwise detectable viruses, and are also probably creating extra backscatter for banned extensions where no virus was detected.Besides that there's the fact that F-Prot is taking so long. It appears to also coincide with increased CPU utilization which might explain Darrell's experience, and in a different respect, mine yesterday with all of the F-Prot timeouts. This has been going on for at least a month. I assume that the increased time corresponds to not only keeping more Declude processes open, but also increased CPU utilization. Such a condition is ripe for exploiting, and I'm concerned that it has existed for so long without resolution, and maybe even detection...MattNick wrote: On 28 Apr 2005 at 16:44, Matt wrote: Hi Matt, I assume that this is probably resulting in an exit code of 9 or 10 then because I'm not using either at the moment, and you are the first that I definitively know has them configured. I do not use these codes either - I had 4 "Could not find parse string Infection" in my logs today. The average delay was 4 seconds. Is the answer to add the additl exit codes or is there a downside to that? -Nick 9 - At least one object was not scanned (encrypted file, unsupported/unknown compression method, unsupported/unknown file format, corrupted or invalid file). 10 - At lest one archive object was not scanned (contains more then N levels of nested archives, as specified with -archive switch). Since some of these are not zip files on my system, I am going to assume that it is an exit code of 9 that is being spit out. A file corruption might also explain the issues with F-Prot taking longer on my system. Anyway, I just started to not delete viruses so I should catch one of these soon and then I can work at processing it manually to see what I find. Thanks for sharing. This was helpful. Matt Bill Landry wrote: Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT - REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 VIRUSCODE1 9 VIRUSCODE1 10 REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875] 04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted- printable; Length=10177 Checksum=774898] 04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904] 04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted- printable; Length=11036 Checksum=792412] 04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990] 04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse strin
