F-prot issues
Shaun Metcalfe
shaun.metcalfe at iovate.com
Mon Jul 28 18:44:07 IST 2008
Hello,
Thank you for the reply. I have installed ClamAV as well (it is not
currently invoked in MailScanner until I can QA it).
However, it does not detect the recent trojan/virus.
# clamscan --version
ClamAV 0.93.3/7866/Mon Jul 28 11:40:05 2008
# freshclam
ClamAV update process started at Mon Jul 28 13:41:03 2008
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
See the FAQ at http://www.clamav.net/support/faq for an explanation.
main.cvd is up to date (version: 47, sigs: 312304, f-level: 31, builder:
sven)
daily.cvd is up to date (version: 7866, sigs: 64592, f-level: 33,
builder: ccordes)
# clamscan /var/spool/MailScanner/quarantine/20080725
----------- SCAN SUMMARY -----------
Known viruses: 376130
Engine version: 0.93.3
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 2.552 sec (0 m 2 s)
Which is why I am hoping I can hook into f-prot and get quarantine with
virus identification.
Regards,
Shaun.
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott
Silva
Sent: Monday, July 28, 2008 12:21 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: F-prot issues
on 7-28-2008 8:43 AM Shaun Metcalfe spake the following:
> Hello,
>
> Hoping someone can point me in the right direction here.
>
> We use MailScanner (and Mailwatch) with f-prot to scan for
> virus/malware at our mail gateway. The rash of E-ticket and Bill_Tax
> attachments has been causing us some grief.
>
> In MailScanner.conf, I have f-prot defined as our only scanner.
> Virus Scanners = f-prot
>
> In virus.scanners.conf f-prot points to the correct directories
> f-prot /usr/lib/MailScanner/f-prot-wrapper
> /usr/local/f-prot
>
> f-prot is up to date (f-prot -verno )
>
> F-PROT ANTIVIRUS
>
> Program version: 4.6.8
> Engine version: 3.16.16
>
> VIRUS SIGNATURE FILES
> SIGN.DEF created 27 July 2008
> SIGN2.DEF created 27 July 2008
> MACRO.DEF created 27 July 2008
>
> And a test of the wrapper returns results, which I assume mean it is
> working
>
> /usr/lib/MailScanner/f-prot-wrapper /usr/local/f-prot/
> /var/spool/MailScanner/quarantine/20080725
>
> <snip>
> /var/spool/MailScanner/quarantine/20080725/m6P9eb7N020874/Bill_Tax____
> __.exe is a security risk named W32/Downldr2.DBPY
>
> /var/spool/MailScanner/quarantine/20080725/m6P9eb7N020874/message->Bil
> l_Tax.zip->Bill_Tax___________________________N89798742344.exe
> is a security risk named W32/Downldr2.DBPY
>
> /var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/E-ticket_N73
> 99294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe
> is a destructive program named W32/Trojan2.AUFO
>
> /var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/E-ticket_N73
> 99294_and_Invoice_for_N73992943442.exe
> is a destructive program named W32/Trojan2.AUFO
>
> /var/spool/MailScanner/quarantine/20080725/m6PIJVA4014593/message->E-t
> icket_N7399294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe
> is a destructive program named W32/Trojan2.AUFO
>
> /var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/E-ticket_N73
> 99294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe
> is a destructive program named W32/Trojan2.AUFO
>
> /var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/E-ticket_N73
> 99294_and_Invoice_for_N73992943442.exe
> is a destructive program named W32/Trojan2.AUFO
>
> /var/spool/MailScanner/quarantine/20080725/m6PMxL55025452/message->E-t
> icket_N7399294.zip->E-ticket_N7399294_and_Invoice_for_N73992943442.exe
> is a destructive program named W32/Trojan2.AUFO
>
> Results of virus scanning:
>
> Files: 728
> MBRs: 0
> Boot sectors: 0
> Objects scanned: 870
> Infected: 0
> Suspicious: 138
> Disinfected: 0
> Deleted: 0
> Renamed: 0
>
> Time: 0:01
>
> A tail /var/log/maillog -n 1000 | grep -i virus shows that MailScanner
> is invoking something to deal with virus scanning :
>
> Jul 28 11:35:34 mgw MailScanner[30149]: Virus and Content Scanning:
> Starting
> Jul 28 11:35:35 mgw MailScanner[30149]: New Batch: Scanning 1
> messages,
> 1687 bytes
> Jul 28 11:35:37 mgw MailScanner[30149]: Virus and Content Scanning:
> Starting
> Jul 28 11:35:37 mgw MailScanner[30149]: New Batch: Scanning 2
> messages,
> 2363 bytes
>
> However, it does not seem to be reporting the suspicious activity, and
> I don't see a section in MailScanner.conf which allows me to specify
> what results as an "infection".
>
> I was hoping there is a way to include ALL suspicious files as well,
> either through identifying the results of the scan such as "is a
> destructive program named", "is a security risk named", or by
> examining the f-prot program exit codes.
>
> PROGRAM EXIT CODES
> 0 Normal exit. Nothing found, nothing done.
>
> 1 Unrecoverable error (e.g., missing virus signature
files).
>
> 2 Selftest failed (program has been modified).
>
> 3 At least one virus-infected object was found.
>
> 4 Reserved, not currently in use.
>
> 5 Abnormal termination (scanning did not finish).
>
> 6 At least one virus was removed.
>
> 7 Error, out of memory.
>
> 8 At least one suspicious object was found.
>
> 9 At least one object was not scanned (encrypted file,
> unsupported/unknown compression method, unsupported/unknown file
>
> format, corrupted or invalid file).
>
> 10 At lest one archive object was not scanned (contains
more
> then N levels of nested archives, as specified with -archive
>
> switch).
>
> Any help or direction would be appreciated.
>
> Regards,
>
> Shaun.
>
This won't help your F-prot problem, but I would recommend installing
Clamav since it is free, and will give you a buffer just in case F-prot
stops working. Clam has very good detection rates for a free product.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
More information about the MailScanner
mailing list