F-Prot use not appearing in log file
Mike Watson
mikew at crucis.net
Fri Feb 29 01:31:51 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Watson wrote:
| Julian Field wrote:
| |
| |
| | Mike - W0TMW wrote:
| | > Julian Field wrote:
| | >>
| | >> Mike - W0TMW wrote:
| | >>> I've installed MS 4.66 on a new box and thanks to others here gotten
| | >>> it running. I have noticed something odd.
| | >>>
| | >>> I have clamav and f-prot installed for virus scanning. I have an
| | >>> older version of MS running on another box also with clamav and
| | >>> f-prot. On that older box, when an e-mail is being scanned, I see
| | >>> in the log that clamav and f-prot are used. On the new box however,
| | >>> I only see clamav mentioned. Both virus scanners are found when MS
| | >>> is started.
| | >>>
| | >>> Is f-prot being used and just not logged?
| | >> That shouldn't be possible.
| | >> What does "MailScanner --lint" say?
| | >> If you add "eicar" to Non-Forging Viruses list, then you should
| | >> receive a notification when you send a copy of Eicar through it. That
| | >> will tell you for definite which virus scanners are finding Eicar.
| | >>
| | >> Please let me know how you get on with this.
| | >>
| | >> Jules
| | >>
| | > Here's the dump from MailScanner --lint.
| |
| | > [root at cygni ~]# MailScanner --lint
| | > Trying to setlogsock(unix)
| | > Checking version numbers...
| | > Version number in MailScanner.conf (4.66.5) is correct.
| |
| | > Your setting "Mail Header" contains illegal characters.
| | > This is most likely caused by your "%org-name%" setting
| | > which must not contain and "." or "_" characters as
| | > these are known to cause problems with some mail systems.
| |
| |
| | > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
| | > ERROR: is not correct, it should match X-crucis.net-MailScanner-From
| |
| | > MikeW: Hmmm, I wonder if this could be the cause? Continuing...
| |
| | > Checking for SpamAssassin errors (if you use it)...
| | > SpamAssassin temp dir =
/var/spool/MailScanner/incoming/SpamAssassin-Temp
| | > SpamAssassin reported no errors.
| | > MailScanner.conf says "Virus Scanners = f-prot clamav"
| | > Found these virus scanners installed: clamav, f-prot
| | >
===========================================================================
| |
| | >
===========================================================================
| |
| | > Virus Scanner test reports:
| | > F-Prot said "./1/eicar.com Infection: EICAR_Test_File"
| | > ClamAV said "eicar.com contains Eicar-Test-Signature"
| |
| | > If any of your virus scanners (clamav,f-prot)
| | > are not listed there, you should check that they are installed
correctly
| | > and that MailScanner is finding them correctly via its
| | > virus.scanners.conf.
| | > [root at cygni ~]#
| |
| | > Mike W: However, maillog only shows...
| |
| | > [root at cygni ~]# tail -50 /var/log/maillog
| | > Feb 28 14:22:50 cygni MailScanner[21967]: Read 5752 hostnames from the
| | > phishing blacklist
| | > Feb 28 14:22:50 cygni MailScanner[21967]: SpamAssassin temporary
| | > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
| | > Feb 28 14:22:50 cygni MailScanner[21967]: Using SpamAssassin results
| | > cache
| | > Feb 28 14:22:50 cygni MailScanner[21967]: Connected to SpamAssassin
| | > cache database
| | > Feb 28 14:22:50 cygni MailScanner[21967]: Enabling SpamAssassin
| | > auto-whitelist functionality...
| | > Feb 28 14:22:52 cygni MailScanner[21967]: ClamAV scanner using unrar
| | > command /usr/bin/unrar
| | > Feb 28 14:22:52 cygni MailScanner[21967]: Using locktype = posix
| | > Feb 28 14:22:52 cygni MailScanner[21967]: Creating hardcoded
| | > struct_flock subroutine for linux (Linux-type)
| | > Feb 28 14:22:55 cygni MailScanner[21968]: MailScanner E-Mail Virus
| | > Scanner version 4.66.5 starting...
| | > Feb 28 14:22:55 cygni MailScanner[21968]: Read 814 hostnames from the
| | > phishing whitelist
| | > Feb 28 14:22:55 cygni MailScanner[21968]: Read 5752 hostnames from the
| | > phishing blacklist
| | > Feb 28 14:22:55 cygni MailScanner[21968]: SpamAssassin temporary
| | > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
| | > Feb 28 14:22:55 cygni MailScanner[21968]: Using SpamAssassin results
| | > cache
| | > Feb 28 14:22:55 cygni MailScanner[21968]: Connected to SpamAssassin
| | > cache database
| | > Feb 28 14:22:55 cygni MailScanner[21968]: Enabling SpamAssassin
| | > auto-whitelist functionality...
| | > Feb 28 14:22:57 cygni MailScanner[21968]: ClamAV scanner using unrar
| | > command /usr/bin/unrar
| | > Feb 28 14:22:57 cygni MailScanner[21968]: Using locktype = posix
| | > Feb 28 14:22:57 cygni MailScanner[21968]: Creating hardcoded
| | > struct_flock subroutine for linux (Linux-type)
| | > Feb 28 14:49:35 cygni sendmail[22232]: m1SKnYAV022232:
| | > from=<xxx-announce-bounces at crucis.net>, size=1444, class=0, nrcpts=1,
| | > msgid=<mailman.0.1204231773.22231.xxx-announce at crucis.net>,
| | > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1]
| | > Feb 28 14:49:35 cygni sendmail[22233]: m1SKnZWi022233:
| | > from=<xxx-announce-bounces at crucis.net>, size=1444, class=0, nrcpts=1,
| | > msgid=<mailman.1.1204231773.22231.xxx-announce at crucis.net>,
| | > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1]
| | > Feb 28 14:49:36 cygni MailScanner[21934]: New Batch: Scanning 2
| | > messages, 3854 bytes
| | > Feb 28 14:49:36 cygni MailScanner[21934]: Spam Checks: Starting
| | > Feb 28 14:49:47 cygni MailScanner[21934]: Message m1SKnZWi022233 from
| | > 127.0.0.1 (xxx-announce-bounces at crucis.net) to crucis.net is not spam,
| | > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam,
| | > ALL_TRUSTED -1.44)
| | > Feb 28 14:49:56 cygni MailScanner[21934]: Message m1SKnYAV022232 from
| | > 127.0.0.1 (xxx-announce-bounces at crucis.net) to crucis.net is not spam,
| | > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam,
| | > ALL_TRUSTED -1.44)
| | > Feb 28 14:49:56 cygni MailScanner[21934]: Spam Checks completed at 197
| | > bytes per second
| | > Feb 28 14:49:56 cygni MailScanner[21934]: Virus and Content Scanning:
| | > Starting
| | > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Scanning completed at
| | > 821 bytes per second
| | > Feb 28 14:50:00 cygni MailScanner[21934]: Uninfected: Delivered 2
| | > messages
| | > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Processing completed
| | > at 75732 bytes per second
| | > Feb 28 14:50:00 cygni MailScanner[21934]: Batch completed at 158 bytes
| | > per second (3854 / 24)
| | > Feb 28 14:50:00 cygni MailScanner[21934]: Batch (2 messages) processed
| | > in 24.26 seconds
| | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward
| | > /home/yyy/.forward.cygni: World writable directory
| | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward
| | > /home/yyy/.forward: World writable directory
| | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233:
| | > to=<joyce at crucis.net>, delay=00:00:25, xdelay=00:00:00, mailer=local,
| | > pri=121444, dsn=2.0.0, stat=Sent
| | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward
| | > /home/zzz/.forward.cygni: World writable directory
| | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward
| | > /home/zzz/.forward: World writable directory
| | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232:
| | > to=<zzz at crucis.net>, delay=00:00:25, xdelay=00:00:00, mailer=local,
| | > pri=121444, dsn=2.0.0, stat=Sent
| | > Feb 28 15:01:02 cygni update.bad.phishing.sites: Delaying cron job up
| | > to 600 seconds
| | > Feb 28 15:05:31 cygni update.bad.phishing.sites: Phishing bad sites
| | > list updated
| | > Feb 28 15:05:31 cygni update.virus.scanners: Delaying cron job up to
| | > 600 seconds
| | > Feb 28 15:12:03 cygni update.virus.scanners: Found clamav installed
| | > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for
| | > clamav
| | > Feb 28 15:12:03 cygni ClamAV-autoupdate[22465]: ClamAV updater
| | > /usr/local/bin/freshclam cannot be run
| | > Feb 28 15:12:03 cygni update.virus.scanners: Found f-prot installed
| | > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for
| | > f-prot
| | > Feb 28 15:12:04 cygni F-Prot autoupdate[22488]: F-Prot did not need
| | > updating.
| | > Feb 28 15:12:04 cygni update.virus.scanners: Found generic installed
| | > Feb 28 15:12:04 cygni update.virus.scanners: Running autoupdate for
| | > generic
| | > Feb 28 15:22:20 cygni MailScanner[22620]: MailScanner E-Mail Virus
| | > Scanner version 4.66.5 starting...
| | > Feb 28 15:23:33 cygni MailScanner[22713]: MailScanner E-Mail Virus
| | > Scanner version 4.66.5 starting...
| | > [root at cygni ~]#
| | I really don't understand this lack of logging, though in this case it
| | may not be finding the F-Prot scanner at all for some other reason.
| |
| | With my F-Prot scanner in use, I get this in my mail log:
| |
| | Feb 28 22:15:01 alegria MailScanner[5466]: Virus Scanning: ClamAVModule
| | found 9 infections
| | Feb 28 22:15:02 alegria MailScanner[5466]:
| |
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.com
| Infection: EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | virus EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]:
| |
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.zip->eicar.com
| | Infection: EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | virus EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]:
| |
/var/spool/MailScanner/incoming/5466/j279YpRC016236.message->eicar.rar3a->eicar.com
| | Infection: EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | virus EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]:
| | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar1.com |
Infection: EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | virus EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]:
| |
/var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.zip->eicar.com
| Infection: EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | virus EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]:
| | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.com |
Infection: EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | virus EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]:
| | /var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.com |
Infection: EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | virus EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]:
| |
/var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.rar3a->eicar.com
| Infection: EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | virus EICAR_Test_File
| | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found
| | 9 infections
| |
| | All of which clearly shows it working just fine.
| | In my MailScanner.conf, I have these settings, please check them against
| | yours:
| |
| | Log Silent Viruses = no
| | Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
| | Silent Viruses = HTML-IFrame All-Viruses
| |
| | Which does of course make the point that if your viruses are "silent"
| | then they won't be logged by default. Try switching on "Log Silent
| | Viruses" and see what changes.
| |
| | Jules
| |
| My config is the same as yours. I turned on Log Silent Viruses and
will run another test.
|
| Mike W
I've been doing more tests. Turning on Silent Virus logging made no
change to the issue other than seeing the Silent Virus message appear in
maillog. I modified MailScanner.conf to more clamav as an anti-virus
choice. I had specified "f-prot clamav" explicitly in the config. I
deleted clamav leaving f-prot and ran the eicar test. Eicar was NOT
detected. I then changed the config file entry to read "auto". Both
clamav and F-prot were found according to maillog, but as previous, only
clamav was logged as finding eicar.
So, f-prot is being found but not executed. F-prot is version 4.6.8,
engine 3.16.16. I just downloaded from the f-prot website last week.
Any thoughts?
Mike W
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHx2CFakodlddMd1ARAi8EAJoCg9zssK8WjrM/0UkiBx42MPNoTgCfbFbt
0tBuarcvCqJ4RI85cMwlwvg=
=YX7w
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner at CYGNI, and is
believed to be clean.
More information about the MailScanner
mailing list