F-prot issues

Scott Silva ssilva at sgvwater.com
Mon Jul 28 17:21:26 IST 2008 

on 7-28-2008 8:43 AM Shaun Metcalfe spake the following:
> Hello,
> 
> Hoping someone can point me in the right direction here.
> 
> We use MailScanner (and Mailwatch) with f-prot to scan for virus/malware 
> at our mail gateway. The rash of E-ticket and Bill_Tax attachments has 
> been causing us some grief.
> 
> In MailScanner.conf, I have f-prot defined as our only scanner.
>         Virus Scanners = f-prot
> 
> In virus.scanners.conf f-prot points to the correct directories
>         f-prot          /usr/lib/MailScanner/f-prot-wrapper     
> /usr/local/f-prot
> 
> f-prot is up to date (f-prot -verno )
> 
> F-PROT ANTIVIRUS
> 
> Program version: 4.6.8
> Engine version: 3.16.16
> 
> VIRUS SIGNATURE FILES
> SIGN.DEF created 27 July 2008
> SIGN2.DEF created 27 July 2008
> MACRO.DEF created 27 July 2008
> 
> And a test of the wrapper returns results, which I assume mean it is 
> working
> 
> /usr/lib/MailScanner/f-prot-wrapper /usr/local/f-prot/ 
> /var/spool/MailScanner/quarantine/20080725
> 
> <snip>
> /var/spool/MailScanner/quarantine/20080725/m6P9eb7N020874/Bill_Tax______.exe  
> is a security risk named W32/Downldr2.DBPY
> 
> /var/spool/MailScanner/quarantine/20080725/m6P9eb7N020874/message->Bill_Tax.zip->Bill_Tax___________________________N89798742344.exe  
> is a security risk named W32/Downldr2.DBPY
> 
> /var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/E-ticket_N7399294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe  
> is a destructive program named W32/Trojan2.AUFO
> 
> /var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/E-ticket_N7399294_and_Invoice_for_N73992943442.exe  
> is a destructive program named W32/Trojan2.AUFO
> 
> /var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/message->E-ticket_N7399294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe  
> is a destructive program named W32/Trojan2.AUFO
> 
> /var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/E-ticket_N7399294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe  
> is a destructive program named W32/Trojan2.AUFO
> 
> /var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/E-ticket_N7399294_and_Invoice_for_N73992943442.exe  
> is a destructive program named W32/Trojan2.AUFO
> 
> /var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/message->E-ticket_N7399294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe  
> is a destructive program named W32/Trojan2.AUFO
> 
> Results of virus scanning:
> 
> Files: 728
> MBRs: 0
> Boot sectors: 0
> Objects scanned: 870
> Infected: 0
> Suspicious: 138
> Disinfected: 0
> Deleted: 0
> Renamed: 0
> 
> Time: 0:01
> 
> A tail /var/log/maillog -n 1000 | grep -i virus shows that MailScanner 
> is invoking something to deal with virus scanning :
> 
> Jul 28 11:35:34 mgw MailScanner[30149]: Virus and Content Scanning: 
> Starting
> Jul 28 11:35:35 mgw MailScanner[30149]: New Batch: Scanning 1 messages, 
> 1687 bytes
> Jul 28 11:35:37 mgw MailScanner[30149]: Virus and Content Scanning: 
> Starting
> Jul 28 11:35:37 mgw MailScanner[30149]: New Batch: Scanning 2 messages, 
> 2363 bytes
> 
> However, it does not seem to be reporting the suspicious activity, and I 
> don't see a section in MailScanner.conf which allows me to specify what 
> results as an "infection".
> 
> I was hoping there is a way to include ALL suspicious files as well, 
> either through identifying the results of the scan such as "is a 
> destructive program named", "is a security risk named",  or by examining 
> the f-prot program exit codes.
> 
> PROGRAM EXIT CODES
>        0      Normal exit.  Nothing found, nothing done.
> 
>        1      Unrecoverable error (e.g., missing virus signature files).
> 
>        2      Selftest failed (program has been modified).
> 
>        3      At least one virus-infected object was found.
> 
>        4      Reserved, not currently in use.
> 
>        5      Abnormal termination (scanning did not finish).
> 
>        6      At least one virus was removed.
> 
>        7      Error, out of memory.
> 
>        8      At least one suspicious object was found.
> 
>        9      At  least  one object was not scanned (encrypted file, 
> unsupported/unknown compression method, unsupported/unknown file
> 
>               format, corrupted or invalid file).
> 
>        10     At lest one archive object was not scanned (contains more 
> then N levels of nested archives, as specified with  -archive
> 
>               switch).
> 
> Any help or direction would be appreciated.
> 
> Regards,
> 
> Shaun.
> 
This won't help your F-prot problem, but I would recommend installing Clamav 
since it is free, and will give you a buffer just in case F-prot stops 
working. Clam has very good detection rates for a free product.


-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080728/36428eca/signature.bin

More information about the MailScanner mailing list