Solved

Problem with f-prot

Posted on 2004-08-03
9
334 Views
Last Modified: 2010-03-18
Hi experts..

I have a server running with MailScanner and F-Prot antivirus.. recently i've been received so many mails with W32.Mydoom.M@mm as an attachment file, even when f-prot updates every day....

What can it be??.. what can i do so i can stop this virus??..

Thanx
0
Comment
Question by:rbraym
  • 3
  • 2
  • 2
9 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11706391
first of all. you need to check antivirus updates every HOUR. not every DAY.
others

read the headers of the messages, maybe your mailscanner is no working good

run mailscanner in console mode to test if really working only type mailscanner in the prompt of your console

Clamav is the free option to antivirus. i tested and is really great.
0
 

Author Comment

by:rbraym
ID: 11706551
i made a test with an infected .eml fille ( f-prot detects it as MyDoom.O but my symantec antivirus detects it as MyDoom.m). I transfered it via FTP to the server and then run f-prot to scan it.. it found the virus!!.. so what can be wrong??

What should i do??.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11706604
i think mailscanner is not intercapt your mails.

check with ps -ef if mailscanner is up and running

after thant you can sent email to the server and ckech with ps -ef is mailscanner UP and check the mail

check in the /var/log/maillog if mailscanner put the messages in a quotat on /var/spool/mail/mqueue.in

and with mailscanner you can have more than 1 scanner engine.

try clamav is a free software project.

:)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:rbraym
ID: 11706709
here's my server log:

Aug  3 11:25:36 master sendmail[11125]: i73GPa74011125: from=<rbraym@eurolatina.com.co>, size=40702, class=0, nrcpts=1, msgid=<015a01c47977$5d987c40$0d65f53f@euronetadmin>, proto=SMTP, daemon=MTA, relay=[63.245.101.13]
Aug  3 11:25:37 master MailScanner[6930]: New Batch: Scanning 1 messages, 41185 bytes
Aug  3 11:25:37 master ipop3d[11112]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=1
Aug  3 11:25:37 master MailScanner[6930]: Spam Checks: Starting
Aug  3 11:25:39 master ipop3d[11127]: pop3 service init from 63.245.85.178
Aug  3 11:25:40 master ipop3d[11127]: Login user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0/0
Aug  3 11:25:42 master ipop3d[11127]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=0
Aug  3 11:25:46 master MailScanner[6930]: Virus and Content Scanning: Starting
Aug  3 11:25:46 master MailScanner[6930]: Uninfected: Delivered 1 messages
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/key.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cacert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client, error: load verify locs /etc/mail/certs, /etc/mail/certs/cacert.pem failed: 0
Aug  3 11:25:47 master sendmail[11138]: i73GPa74011125: to=<rbraym@eurolatina.com.co>, ctladdr=<rbraym@eurolatina.com.co> (502/504), delay=00:00:11, xdelay=00:00:00, mailer=local, pri=160702, dsn=2.0.0, stat=Sent

The infected message is from rbraym@eurolatina.com.co to the same address. As you can see, MailScanner starts checking the mail, but f-prot doesn't find the virus..

I can see that it's detecting other viruses, but not this one.. see this:

Aug  3 11:28:10 master MailScanner[7115]: Virus and Content Scanning: Starting
Aug  3 11:28:10 master MailScanner[7115]: /var/spool/MailScanner/incoming/7115/i73GRtD2011408/New_MP3_Player.scr  Infection: W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found virus W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found 1 infections
Aug  3 11:28:10 master MailScanner[7115]: Infected message i73GRtD2011408 came from 200.69.126.21
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: Found 1 viruses
Aug  3 11:28:10 master MailScanner[7115]: Filename Checks: Possible virus hidden in a screensaver (i73GRtD2011408 New_MP3_Player.scr)
Aug  3 11:28:10 master MailScanner[7115]: Other Checks: Found 1 problems
Aug  3 11:28:10 master MailScanner[7115]: Saved infected "New_MP3_Player.scr" to /var/spool/MailScanner/quarantine/20040803/i73GRtD2011408

So, what could it be??
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11711490
Are you sure that the copy of F-Prot that MailScanner is using has the current sigs?
0
 

Author Comment

by:rbraym
ID: 11715935
Yes.. as i said above, i transfered the infected .eml file to the server and then i ran f-prot to check this file and it detected the virus, but not in incoming mails.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 11716810
I'd suggest that you check what copy of F-Prot MailScanner is using by looking at the last field of the MailScanner etc/virus.scanners.conf (default is /usr/local/f-prot). Then scan the file the way MailScanner would by invoking lib/f-prot-wrapper <path-from-virus.scanners.conf> test-file.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now