Bug report / f-prot parser broken?

Kapetanakis Giannis bilias at edu.physics.uoc.gr
Mon Apr 23 09:00:43 IST 2007


Hello,

I would like to report some sort of a bug I have found.
I talked to Julian about it but we haven't managed
to sort it out.

Reproduction of the bug:
------------------------

I've installed the f-prot antivirus for linux in rpm.
http://www.f-prot.com/download/trial_forms/linux-ws-rpm.html
http://files.f-prot.com/files/linux-x86/fp-linux-ws.rpm

Test 1:
-------
Now I test a file that contains the EICAR_Test_File virus.
Check f-prot_report.txt attachment for f-prot's report.
It identifies the virus correclty. So far so good.

Test 2:
-------
I test again by using the f-prot-wrapper.
Check f-prot-wrapper_report.txt attachment for the report.
Works good as well. It identifies the virus.

Test 3:
-------
Then I add f-prot in MailScanner.conf (f-prot only!)

Virus Scanning = yes
Virus Scanners = f-prot

Now I try to send the virus by mail:
f-prot fails to identify the virus.
Check f-prot-mailscanner_report.txt attachment.

Test 4:
-------
I remove f-prot from MailScanner.conf and add
Virus Scanners = bitdefender antivir
I send again the virus file (the same way as before)
and now the virus is being identified by both
antivir and bitdifender.
Check f-prot-mailscanner_report2.txt attachment.

Test 5
------
If I put in the conf
Virus Scanners = bitdefender antivir f-prot

I get in the logs:
Apr 22 19:44:49 server MailScanner[19305]: Virus Scanning: F-Prot found 1 
infections

However in the mail report I receive there is no report/alert
from f-prot.
Check attachment many_scanners.txt

I also tried a few more tests Julian told me:
Postfix user can run f-prot and can identify
the virus from command line. So there is probably
not any permissions problem.

MailScanner -lint discovers f-prot
MailScanner -debug does not produce any funny info
about viruscanners

My guess is that f-prot has changed it's
output report and MailScanner fails
to parse it correct???

My system is Fedora Core 6 Linux
Linux 2.6.20-1.2944.fc6 i686 i686
model name      : Intel(R) Pentium(R) 4 CPU 3.00GHz
Ram		: 2 G

running:
postfix-2.3.3-2
mailscanner-4.58.9-1
spamassassin-3.1.8-2.fc6
f-prot fp-linux-ws-4.6.8-1
BitDefender-Console-Antivirus-7.1-3
Antivir engine version:   7.3.1.53 / product version:  2.1.10-36

The rest of the system is up to date.

Thanks in advance

Kapetanakis Giannis
System & Network Admin
University of Crete / Physics Dep.
-------------- next part --------------
Virus scanning report  -  20 April 2007 @ 14:49

F-PROT ANTIVIRUS
Program version: 4.6.8
Engine version: 3.16.16

VIRUS SIGNATURE FILES
SIGN.DEF created 18 April 2007
SIGN2.DEF created 18 April 2007
MACRO.DEF created 18 April 2007

Search: foo
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER

/root/foo  Infection: EICAR_Test_File

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Infected: 1
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00

-------------- next part --------------
Virus scanning report  -  20 April 2007 @ 14:52

F-PROT ANTIVIRUS
Program version: 4.6.8
Engine version: 3.16.16

VIRUS SIGNATURE FILES
SIGN.DEF created 18 April 2007
SIGN2.DEF created 18 April 2007
MACRO.DEF created 18 April 2007

Search: foo
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER

/root/foo  Infection: EICAR_Test_File

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Infected: 1
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00

-------------- next part --------------
Apr 20 14:55:23 server postfix/pickup[1698]: 73FEB1005F: uid=0 from=<root>
Apr 20 14:55:23 server postfix/cleanup[1732]: 73FEB1005F: hold: header Received: by server.physics.uoc.gr (Postfix, from userid 0)??id 73FEB1005F; Fri, 20 Apr 2007 14:55:23 +0300 (EEST) from local; from=<root at physics.uoc.gr> to=<bilias at edu.physics.uoc.gr>
Apr 20 14:55:23 server postfix/cleanup[1732]: 73FEB1005F: message-id=<20070420115523.73FEB1005F at server.physics.uoc.gr>
Apr 20 14:55:23 server MailScanner[1757]: New Batch: Scanning 1 messages, 581 bytes
Apr 20 14:55:24 server MailScanner[1757]: Virus and Content Scanning: Starting
Apr 20 14:55:24 server MailScanner[1757]: Requeue: 73FEB1005F.57B39 to 18FD110049
Apr 20 14:55:24 server postfix/qmgr[1703]: 18FD110049: from=<root at physics.uoc.gr>, size=617, nrcpt=1 (queue active)
Apr 20 14:55:24 server MailScanner[1757]: Uninfected: Delivered 1 messages
-------------- next part --------------
Apr 20 15:00:22 server postfix/pickup[2142]: D853C1006B: uid=0 from=<root>
Apr 20 15:00:22 server postfix/cleanup[2177]: D853C1006B: hold: header Received: by server.physics.uoc.gr (Postfix, from userid 0)??id D853C1006B; Fri, 20 Apr 2007 15:00:22 +0300 (EEST) from local; from=<root at physics.uoc.gr> to=<bilias at edu.physics.uoc.gr>
Apr 20 15:00:23 server MailScanner[2168]: New Batch: Scanning 1 messages, 581 bytes
Apr 20 15:00:23 server MailScanner[2168]: Virus and Content Scanning: Starting
Apr 20 15:00:25 server MailScanner[2168]: D853C1006B.4E2BF/msg-2168-2.txt:infected: EICAR-Test-File (not a virus)
Apr 20 15:00:25 server MailScanner[2168]: Virus Scanning: Bitdefender found 1 infections
Apr 20 15:00:27 server MailScanner[2168]: ALERT: [Eicar-Test-Signature] ./D853C1006B.4E2BF/msg-2168-2.txt <<< Contains code of the Eicar-Test-Signature virus
Apr 20 15:00:27 server MailScanner[2168]: Virus Scanning: AntiVir found 1 infections
Apr 20 15:00:27 server MailScanner[2168]: Infected message D853C1006B.4E2BF came from 127.0.0.1
Apr 20 15:00:27 server MailScanner[2168]: Virus Scanning: Found 1 viruses
Apr 20 15:00:28 server MailScanner[2168]: Requeue: D853C1006B.4E2BF to 025EC1006C


More information about the MailScanner mailing list