F-Prot use not appearing in log file

Julian Field MailScanner at ecs.soton.ac.uk
Thu Feb 28 22:19:11 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Mike - W0TMW wrote:
> Julian Field wrote:
>>
>>
>> Mike - W0TMW wrote:
>>> I've installed MS 4.66 on a new box and thanks to others here gotten 
>>> it running.  I have noticed something odd.
>>>
>>> I have clamav and f-prot installed for virus scanning.  I have an 
>>> older version of MS running on another box also with clamav and 
>>> f-prot.  On that older box, when an e-mail is being scanned, I see 
>>> in the log that clamav and f-prot are used.  On the new box however, 
>>> I only see clamav mentioned.  Both virus scanners are found when MS 
>>> is started.
>>>
>>> Is f-prot being used and just not logged?
>> That shouldn't be possible.
>> What does "MailScanner --lint" say?
>> If you add "eicar" to Non-Forging Viruses list, then you should 
>> receive a notification when you send a copy of Eicar through it. That 
>> will tell you for definite which virus scanners are finding Eicar.
>>
>> Please let me know how you get on with this.
>>
>> Jules
>>
> Here's the dump from MailScanner --lint.
>
> [root at cygni ~]# MailScanner --lint
> Trying to setlogsock(unix)
> Checking version numbers...
> Version number in MailScanner.conf (4.66.5) is correct.
>
> Your setting "Mail Header" contains illegal characters.
> This is most likely caused by your "%org-name%" setting
> which must not contain and "." or "_" characters as
> these are known to cause problems with some mail systems.
>
>
> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
> ERROR: is not correct, it should match X-crucis.net-MailScanner-From
>
> MikeW: Hmmm, I wonder if this could be the cause? Continuing...
>
> Checking for SpamAssassin errors (if you use it)...
> SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin reported no errors.
> MailScanner.conf says "Virus Scanners = f-prot clamav"
> Found these virus scanners installed: clamav, f-prot
> =========================================================================== 
>
> =========================================================================== 
>
> Virus Scanner test reports:
> F-Prot said "./1/eicar.com  Infection: EICAR_Test_File"
> ClamAV said "eicar.com contains Eicar-Test-Signature"
>
> If any of your virus scanners (clamav,f-prot)
> are not listed there, you should check that they are installed correctly
> and that MailScanner is finding them correctly via its 
> virus.scanners.conf.
> [root at cygni ~]#
>
> Mike W: However, maillog only shows...
>
> [root at cygni ~]# tail -50 /var/log/maillog
> Feb 28 14:22:50 cygni MailScanner[21967]: Read 5752 hostnames from the 
> phishing blacklist
> Feb 28 14:22:50 cygni MailScanner[21967]: SpamAssassin temporary 
> working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Feb 28 14:22:50 cygni MailScanner[21967]: Using SpamAssassin results 
> cache
> Feb 28 14:22:50 cygni MailScanner[21967]: Connected to SpamAssassin 
> cache database
> Feb 28 14:22:50 cygni MailScanner[21967]: Enabling SpamAssassin 
> auto-whitelist functionality...
> Feb 28 14:22:52 cygni MailScanner[21967]: ClamAV scanner using unrar 
> command /usr/bin/unrar
> Feb 28 14:22:52 cygni MailScanner[21967]: Using locktype = posix
> Feb 28 14:22:52 cygni MailScanner[21967]: Creating hardcoded 
> struct_flock subroutine for linux (Linux-type)
> Feb 28 14:22:55 cygni MailScanner[21968]: MailScanner E-Mail Virus 
> Scanner version 4.66.5 starting...
> Feb 28 14:22:55 cygni MailScanner[21968]: Read 814 hostnames from the 
> phishing whitelist
> Feb 28 14:22:55 cygni MailScanner[21968]: Read 5752 hostnames from the 
> phishing blacklist
> Feb 28 14:22:55 cygni MailScanner[21968]: SpamAssassin temporary 
> working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Feb 28 14:22:55 cygni MailScanner[21968]: Using SpamAssassin results 
> cache
> Feb 28 14:22:55 cygni MailScanner[21968]: Connected to SpamAssassin 
> cache database
> Feb 28 14:22:55 cygni MailScanner[21968]: Enabling SpamAssassin 
> auto-whitelist functionality...
> Feb 28 14:22:57 cygni MailScanner[21968]: ClamAV scanner using unrar 
> command /usr/bin/unrar
> Feb 28 14:22:57 cygni MailScanner[21968]: Using locktype = posix
> Feb 28 14:22:57 cygni MailScanner[21968]: Creating hardcoded 
> struct_flock subroutine for linux (Linux-type)
> Feb 28 14:49:35 cygni sendmail[22232]: m1SKnYAV022232: 
> from=<xxx-announce-bounces at crucis.net>, size=1444, class=0, nrcpts=1, 
> msgid=<mailman.0.1204231773.22231.xxx-announce at crucis.net>, 
> proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1]
> Feb 28 14:49:35 cygni sendmail[22233]: m1SKnZWi022233: 
> from=<xxx-announce-bounces at crucis.net>, size=1444, class=0, nrcpts=1, 
> msgid=<mailman.1.1204231773.22231.xxx-announce at crucis.net>, 
> proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1]
> Feb 28 14:49:36 cygni MailScanner[21934]: New Batch: Scanning 2 
> messages, 3854 bytes
> Feb 28 14:49:36 cygni MailScanner[21934]: Spam Checks: Starting
> Feb 28 14:49:47 cygni MailScanner[21934]: Message m1SKnZWi022233 from 
> 127.0.0.1 (xxx-announce-bounces at crucis.net) to crucis.net is not spam, 
> SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, 
> ALL_TRUSTED -1.44)
> Feb 28 14:49:56 cygni MailScanner[21934]: Message m1SKnYAV022232 from 
> 127.0.0.1 (xxx-announce-bounces at crucis.net) to crucis.net is not spam, 
> SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, 
> ALL_TRUSTED -1.44)
> Feb 28 14:49:56 cygni MailScanner[21934]: Spam Checks completed at 197 
> bytes per second
> Feb 28 14:49:56 cygni MailScanner[21934]: Virus and Content Scanning: 
> Starting
> Feb 28 14:50:00 cygni MailScanner[21934]: Virus Scanning completed at 
> 821 bytes per second
> Feb 28 14:50:00 cygni MailScanner[21934]: Uninfected: Delivered 2 
> messages
> Feb 28 14:50:00 cygni MailScanner[21934]: Virus Processing completed 
> at 75732 bytes per second
> Feb 28 14:50:00 cygni MailScanner[21934]: Batch completed at 158 bytes 
> per second (3854 / 24)
> Feb 28 14:50:00 cygni MailScanner[21934]: Batch (2 messages) processed 
> in 24.26 seconds
> Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward 
> /home/yyy/.forward.cygni: World writable directory
> Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward 
> /home/yyy/.forward: World writable directory
> Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: 
> to=<joyce at crucis.net>, delay=00:00:25, xdelay=00:00:00, mailer=local, 
> pri=121444, dsn=2.0.0, stat=Sent
> Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward 
> /home/zzz/.forward.cygni: World writable directory
> Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward 
> /home/zzz/.forward: World writable directory
> Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: 
> to=<zzz at crucis.net>, delay=00:00:25, xdelay=00:00:00, mailer=local, 
> pri=121444, dsn=2.0.0, stat=Sent
> Feb 28 15:01:02 cygni update.bad.phishing.sites: Delaying cron job up 
> to 600 seconds
> Feb 28 15:05:31 cygni update.bad.phishing.sites: Phishing bad sites 
> list updated
> Feb 28 15:05:31 cygni update.virus.scanners: Delaying cron job up to 
> 600 seconds
> Feb 28 15:12:03 cygni update.virus.scanners: Found clamav installed
> Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for 
> clamav
> Feb 28 15:12:03 cygni ClamAV-autoupdate[22465]: ClamAV updater 
> /usr/local/bin/freshclam cannot be run
> Feb 28 15:12:03 cygni update.virus.scanners: Found f-prot installed
> Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for 
> f-prot
> Feb 28 15:12:04 cygni F-Prot autoupdate[22488]: F-Prot did not need 
> updating.
> Feb 28 15:12:04 cygni update.virus.scanners: Found generic installed
> Feb 28 15:12:04 cygni update.virus.scanners: Running autoupdate for 
> generic
> Feb 28 15:22:20 cygni MailScanner[22620]: MailScanner E-Mail Virus 
> Scanner version 4.66.5 starting...
> Feb 28 15:23:33 cygni MailScanner[22713]: MailScanner E-Mail Virus 
> Scanner version 4.66.5 starting...
> [root at cygni ~]#
I really don't understand this lack of logging, though in this case it 
may not be finding the F-Prot scanner at all for some other reason.

With my F-Prot scanner in use, I get this in my mail log:

Feb 28 22:15:01 alegria MailScanner[5466]: Virus Scanning: ClamAVModule 
found 9 infections
Feb 28 22:15:02 alegria MailScanner[5466]: 
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.com  
Infection: EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
virus EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: 
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.zip->eicar.com  
Infection: EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
virus EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: 
/var/spool/MailScanner/incoming/5466/j279YpRC016236.message->eicar.rar3a->eicar.com  
Infection: EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
virus EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: 
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar1.com  
Infection: EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
virus EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: 
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.zip->eicar.com  
Infection: EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
virus EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: 
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.com  
Infection: EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
virus EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: 
/var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.com  
Infection: EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
virus EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: 
/var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.rar3a->eicar.com  
Infection: EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
virus EICAR_Test_File
Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 
9 infections

All of which clearly shows it working just fine.
In my MailScanner.conf, I have these settings, please check them against 
yours:

Log Silent Viruses = no
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
Silent Viruses = HTML-IFrame All-Viruses

Which does of course make the point that if your viruses are "silent" 
then they won't be logged by default. Try switching on "Log Silent 
Viruses" and see what changes.

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.0 (Build 2158)
Comment: Use Thunderbird Enigmail to verify this message
Charset: ISO-8859-1

wj8DBQFHxzNhEfZZRxQVtlQRAkq/AKCqF39RCYaB0SsDotVC7vl4eP6v5ACgwz8Q
cMgvzSjmE9ySyssKqQB+uuE=
=g/CI
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list