F-Prot use not appearing in log file
Mike Watson
mikew at crucis.net
Fri Feb 29 01:05:31 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julian Field wrote:
|
|
| Mike - W0TMW wrote:
| > Julian Field wrote:
| >>
| >> Mike - W0TMW wrote:
| >>> I've installed MS 4.66 on a new box and thanks to others here gotten
| >>> it running. I have noticed something odd.
| >>>
| >>> I have clamav and f-prot installed for virus scanning. I have an
| >>> older version of MS running on another box also with clamav and
| >>> f-prot. On that older box, when an e-mail is being scanned, I see
| >>> in the log that clamav and f-prot are used. On the new box however,
| >>> I only see clamav mentioned. Both virus scanners are found when MS
| >>> is started.
| >>>
| >>> Is f-prot being used and just not logged?
| >> That shouldn't be possible.
| >> What does "MailScanner --lint" say?
| >> If you add "eicar" to Non-Forging Viruses list, then you should
| >> receive a notification when you send a copy of Eicar through it. That
| >> will tell you for definite which virus scanners are finding Eicar.
| >>
| >> Please let me know how you get on with this.
| >>
| >> Jules
| >>
| > Here's the dump from MailScanner --lint.
|
| > [root at cygni ~]# MailScanner --lint
| > Trying to setlogsock(unix)
| > Checking version numbers...
| > Version number in MailScanner.conf (4.66.5) is correct.
|
| > Your setting "Mail Header" contains illegal characters.
| > This is most likely caused by your "%org-name%" setting
| > which must not contain and "." or "_" characters as
| > these are known to cause problems with some mail systems.
|
|
| > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
| > ERROR: is not correct, it should match X-crucis.net-MailScanner-From
|
| > MikeW: Hmmm, I wonder if this could be the cause? Continuing...
|
| > Checking for SpamAssassin errors (if you use it)...
| > SpamAssassin temp dir =
/var/spool/MailScanner/incoming/SpamAssassin-Temp
| > SpamAssassin reported no errors.
| > MailScanner.conf says "Virus Scanners = f-prot clamav"
| > Found these virus scanners installed: clamav, f-prot
| >
===========================================================================
|
| >
===========================================================================
|
| > Virus Scanner test reports:
| > F-Prot said "./1/eicar.com Infection: EICAR_Test_File"
| > ClamAV said "eicar.com contains Eicar-Test-Signature"
|
| > If any of your virus scanners (clamav,f-prot)
| > are not listed there, you should check that they are installed correctly
| > and that MailScanner is finding them correctly via its
| > virus.scanners.conf.
| > [root at cygni ~]#
|
| > Mike W: However, maillog only shows...
|
| > [root at cygni ~]# tail -50 /var/log/maillog
| > Feb 28 14:22:50 cygni MailScanner[21967]: Read 5752 hostnames from the
| > phishing blacklist
| > Feb 28 14:22:50 cygni MailScanner[21967]: SpamAssassin temporary
| > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
| > Feb 28 14:22:50 cygni MailScanner[21967]: Using SpamAssassin results
| > cache
| > Feb 28 14:22:50 cygni MailScanner[21967]: Connected to SpamAssassin
| > cache database
| > Feb 28 14:22:50 cygni MailScanner[21967]: Enabling SpamAssassin
| > auto-whitelist functionality...
| > Feb 28 14:22:52 cygni MailScanner[21967]: ClamAV scanner using unrar
| > command /usr/bin/unrar
| > Feb 28 14:22:52 cygni MailScanner[21967]: Using locktype = posix
| > Feb 28 14:22:52 cygni MailScanner[21967]: Creating hardcoded
| > struct_flock subroutine for linux (Linux-type)
| > Feb 28 14:22:55 cygni MailScanner[21968]: MailScanner E-Mail Virus
| > Scanner version 4.66.5 starting...
| > Feb 28 14:22:55 cygni MailScanner[21968]: Read 814 hostnames from the
| > phishing whitelist
| > Feb 28 14:22:55 cygni MailScanner[21968]: Read 5752 hostnames from the
| > phishing blacklist
| > Feb 28 14:22:55 cygni MailScanner[21968]: SpamAssassin temporary
| > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
| > Feb 28 14:22:55 cygni MailScanner[21968]: Using SpamAssassin results
| > cache
| > Feb 28 14:22:55 cygni MailScanner[21968]: Connected to SpamAssassin
| > cache database
| > Feb 28 14:22:55 cygni MailScanner[21968]: Enabling SpamAssassin
| > auto-whitelist functionality...
| > Feb 28 14:22:57 cygni MailScanner[21968]: ClamAV scanner using unrar
| > command /usr/bin/unrar
| > Feb 28 14:22:57 cygni MailScanner[21968]: Using locktype = posix
| > Feb 28 14:22:57 cygni MailScanner[21968]: Creating hardcoded
| > struct_flock subroutine for linux (Linux-type)
| > Feb 28 14:49:35 cygni sendmail[22232]: m1SKnYAV022232:
| > from=<xxx-announce-bounces at crucis.net>, size=1444, class=0, nrcpts=1,
| > msgid=<mailman.0.1204231773.22231.xxx-announce at crucis.net>,
| > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1]
| > Feb 28 14:49:35 cygni sendmail[22233]: m1SKnZWi022233:
| > from=<xxx-announce-bounces at crucis.net>, size=1444, class=0, nrcpts=1,
| > msgid=<mailman.1.1204231773.22231.xxx-announce at crucis.net>,
| > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1]
| > Feb 28 14:49:36 cygni MailScanner[21934]: New Batch: Scanning 2
| > messages, 3854 bytes
| > Feb 28 14:49:36 cygni MailScanner[21934]: Spam Checks: Starting
| > Feb 28 14:49:47 cygni MailScanner[21934]: Message m1SKnZWi022233 from
| > 127.0.0.1 (xxx-announce-bounces at crucis.net) to crucis.net is not spam,
| > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam,
| > ALL_TRUSTED -1.44)
| > Feb 28 14:49:56 cygni MailScanner[21934]: Message m1SKnYAV022232 from
| > 127.0.0.1 (xxx-announce-bounces at crucis.net) to crucis.net is not spam,
| > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam,
| > ALL_TRUSTED -1.44)
| > Feb 28 14:49:56 cygni MailScanner[21934]: Spam Checks completed at 197
| > bytes per second
| > Feb 28 14:49:56 cygni MailScanner[21934]: Virus and Content Scanning:
| > Starting
| > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Scanning completed at
| > 821 bytes per second
| > Feb 28 14:50:00 cygni MailScanner[21934]: Uninfected: Delivered 2
| > messages
| > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Processing completed
| > at 75732 bytes per second
| > Feb 28 14:50:00 cygni MailScanner[21934]: Batch completed at 158 bytes
| > per second (3854 / 24)
| > Feb 28 14:50:00 cygni MailScanner[21934]: Batch (2 messages) processed
| > in 24.26 seconds
| > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward
| > /home/yyy/.forward.cygni: World writable directory
| > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward
| > /home/yyy/.forward: World writable directory
| > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233:
| > to=<joyce at crucis.net>, delay=00:00:25, xdelay=00:00:00, mailer=local,
| > pri=121444, dsn=2.0.0, stat=Sent
| > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward
| > /home/zzz/.forward.cygni: World writable directory
| > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward
| > /home/zzz/.forward: World writable directory
| > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232:
| > to=<zzz at crucis.net>, delay=00:00:25, xdelay=00:00:00, mailer=local,
| > pri=121444, dsn=2.0.0, stat=Sent
| > Feb 28 15:01:02 cygni update.bad.phishing.sites: Delaying cron job up
| > to 600 seconds
| > Feb 28 15:05:31 cygni update.bad.phishing.sites: Phishing bad sites
| > list updated
| > Feb 28 15:05:31 cygni update.virus.scanners: Delaying cron job up to
| > 600 seconds
| > Feb 28 15:12:03 cygni update.virus.scanners: Found clamav installed
| > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for
| > clamav
| > Feb 28 15:12:03 cygni ClamAV-autoupdate[22465]: ClamAV updater
| > /usr/local/bin/freshclam cannot be run
| > Feb 28 15:12:03 cygni update.virus.scanners: Found f-prot installed
| > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for
| > f-prot
| > Feb 28 15:12:04 cygni F-Prot autoupdate[22488]: F-Prot did not need
| > updating.
| > Feb 28 15:12:04 cygni update.virus.scanners: Found generic installed
| > Feb 28 15:12:04 cygni update.virus.scanners: Running autoupdate for
| > generic
| > Feb 28 15:22:20 cygni MailScanner[22620]: MailScanner E-Mail Virus
| > Scanner version 4.66.5 starting...
| > Feb 28 15:23:33 cygni MailScanner[22713]: MailScanner E-Mail Virus
| > Scanner version 4.66.5 starting...
| > [root at cygni ~]#
| I really don't understand this lack of logging, though in this case it
| may not be finding the F-Prot scanner at all for some other reason.
|
| With my F-Prot scanner in use, I get this in my mail log:
|
| Feb 28 22:15:01 alegria MailScanner[5466]: Virus Scanning: ClamAVModule
| found 9 infections
| Feb 28 22:15:02 alegria MailScanner[5466]:
| /var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.com
| Infection: EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| virus EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]:
|
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.zip->eicar.com
| Infection: EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| virus EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]:
|
/var/spool/MailScanner/incoming/5466/j279YpRC016236.message->eicar.rar3a->eicar.com
| Infection: EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| virus EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]:
| /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar1.com
| Infection: EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| virus EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]:
| /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.zip->eicar.com
| Infection: EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| virus EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]:
| /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.com
| Infection: EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| virus EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]:
| /var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.com
| Infection: EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| virus EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]:
|
/var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.rar3a->eicar.com
| Infection: EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| virus EICAR_Test_File
| Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| 9 infections
|
| All of which clearly shows it working just fine.
| In my MailScanner.conf, I have these settings, please check them against
| yours:
|
| Log Silent Viruses = no
| Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
| Silent Viruses = HTML-IFrame All-Viruses
|
| Which does of course make the point that if your viruses are "silent"
| then they won't be logged by default. Try switching on "Log Silent
| Viruses" and see what changes.
|
| Jules
|
My config is the same as yours. I turned on Log Silent Viruses and will
run another test.
Mike W
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHx1pXakodlddMd1ARArO8AJ9Z0dCPxNn0/GKUvWW1QJv2ub7ouwCfb27y
Fiiqk8h03g3Uc4+KksN8xm4=
=1z55
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner at CYGNI, and is
believed to be clean.
More information about the MailScanner
mailing list