F-prot issues
Shaun Metcalfe
shaun.metcalfe at iovate.com
Mon Jul 28 16:43:41 IST 2008
Hello,
Hoping someone can point me in the right direction here.
We use MailScanner (and Mailwatch) with f-prot to scan for virus/malware
at our mail gateway. The rash of E-ticket and Bill_Tax attachments has
been causing us some grief.
In MailScanner.conf, I have f-prot defined as our only scanner.
Virus Scanners = f-prot
In virus.scanners.conf f-prot points to the correct directories
f-prot /usr/lib/MailScanner/f-prot-wrapper
/usr/local/f-prot
f-prot is up to date (f-prot -verno )
F-PROT ANTIVIRUS
Program version: 4.6.8
Engine version: 3.16.16
VIRUS SIGNATURE FILES
SIGN.DEF created 27 July 2008
SIGN2.DEF created 27 July 2008
MACRO.DEF created 27 July 2008
And a test of the wrapper returns results, which I assume mean it is
working
/usr/lib/MailScanner/f-prot-wrapper /usr/local/f-prot/
/var/spool/MailScanner/quarantine/20080725
<snip>
/var/spool/MailScanner/quarantine/20080725/m6P9eb7N020874/Bill_Tax______
.exe is a security risk named W32/Downldr2.DBPY
/var/spool/MailScanner/quarantine/20080725/m6P9eb7N020874/message->Bill_
Tax.zip->Bill_Tax___________________________N89798742344.exe is a
security risk named W32/Downldr2.DBPY
/var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/E-ticket_N7399
294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe is a
destructive program named W32/Trojan2.AUFO
/var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/E-ticket_N7399
294_and_Invoice_for_N73992943442.exe is a destructive program named
W32/Trojan2.AUFO
/var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/message->E-tic
ket_N7399294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe is
a destructive program named W32/Trojan2.AUFO
/var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/E-ticket_N7399
294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe is a
destructive program named W32/Trojan2.AUFO
/var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/E-ticket_N7399
294_and_Invoice_for_N73992943442.exe is a destructive program named
W32/Trojan2.AUFO
/var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/message->E-tic
ket_N7399294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe is
a destructive program named W32/Trojan2.AUFO
Results of virus scanning:
Files: 728
MBRs: 0
Boot sectors: 0
Objects scanned: 870
Infected: 0
Suspicious: 138
Disinfected: 0
Deleted: 0
Renamed: 0
Time: 0:01
A tail /var/log/maillog -n 1000 | grep -i virus shows that MailScanner
is invoking something to deal with virus scanning :
Jul 28 11:35:34 mgw MailScanner[30149]: Virus and Content Scanning:
Starting
Jul 28 11:35:35 mgw MailScanner[30149]: New Batch: Scanning 1 messages,
1687 bytes
Jul 28 11:35:37 mgw MailScanner[30149]: Virus and Content Scanning:
Starting
Jul 28 11:35:37 mgw MailScanner[30149]: New Batch: Scanning 2 messages,
2363 bytes
However, it does not seem to be reporting the suspicious activity, and I
don't see a section in MailScanner.conf which allows me to specify what
results as an "infection".
I was hoping there is a way to include ALL suspicious files as well,
either through identifying the results of the scan such as "is a
destructive program named", "is a security risk named", or by examining
the f-prot program exit codes.
PROGRAM EXIT CODES
0 Normal exit. Nothing found, nothing done.
1 Unrecoverable error (e.g., missing virus signature files).
2 Selftest failed (program has been modified).
3 At least one virus-infected object was found.
4 Reserved, not currently in use.
5 Abnormal termination (scanning did not finish).
6 At least one virus was removed.
7 Error, out of memory.
8 At least one suspicious object was found.
9 At least one object was not scanned (encrypted file,
unsupported/unknown compression method, unsupported/unknown file
format, corrupted or invalid file).
10 At lest one archive object was not scanned (contains more
then N levels of nested archives, as specified with -archive
switch).
Any help or direction would be appreciated.
Regards,
Shaun.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080728/4425784c/attachment.html
More information about the MailScanner
mailing list