Solved

Problem with f-prot

Posted on 2004-08-03
9
363 Views
Last Modified: 2010-03-18
Hi experts..

I have a server running with MailScanner and F-Prot antivirus.. recently i've been received so many mails with W32.Mydoom.M@mm as an attachment file, even when f-prot updates every day....

What can it be??.. what can i do so i can stop this virus??..

Thanx
0
Comment
Question by:rbraym
  • 3
  • 2
  • 2
9 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11706391
first of all. you need to check antivirus updates every HOUR. not every DAY.
others

read the headers of the messages, maybe your mailscanner is no working good

run mailscanner in console mode to test if really working only type mailscanner in the prompt of your console

Clamav is the free option to antivirus. i tested and is really great.
0
 

Author Comment

by:rbraym
ID: 11706551
i made a test with an infected .eml fille ( f-prot detects it as MyDoom.O but my symantec antivirus detects it as MyDoom.m). I transfered it via FTP to the server and then run f-prot to scan it.. it found the virus!!.. so what can be wrong??

What should i do??.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11706604
i think mailscanner is not intercapt your mails.

check with ps -ef if mailscanner is up and running

after thant you can sent email to the server and ckech with ps -ef is mailscanner UP and check the mail

check in the /var/log/maillog if mailscanner put the messages in a quotat on /var/spool/mail/mqueue.in

and with mailscanner you can have more than 1 scanner engine.

try clamav is a free software project.

:)
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:rbraym
ID: 11706709
here's my server log:

Aug  3 11:25:36 master sendmail[11125]: i73GPa74011125: from=<rbraym@eurolatina.com.co>, size=40702, class=0, nrcpts=1, msgid=<015a01c47977$5d987c40$0d65f53f@euronetadmin>, proto=SMTP, daemon=MTA, relay=[63.245.101.13]
Aug  3 11:25:37 master MailScanner[6930]: New Batch: Scanning 1 messages, 41185 bytes
Aug  3 11:25:37 master ipop3d[11112]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=1
Aug  3 11:25:37 master MailScanner[6930]: Spam Checks: Starting
Aug  3 11:25:39 master ipop3d[11127]: pop3 service init from 63.245.85.178
Aug  3 11:25:40 master ipop3d[11127]: Login user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0/0
Aug  3 11:25:42 master ipop3d[11127]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=0
Aug  3 11:25:46 master MailScanner[6930]: Virus and Content Scanning: Starting
Aug  3 11:25:46 master MailScanner[6930]: Uninfected: Delivered 1 messages
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/key.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cacert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client, error: load verify locs /etc/mail/certs, /etc/mail/certs/cacert.pem failed: 0
Aug  3 11:25:47 master sendmail[11138]: i73GPa74011125: to=<rbraym@eurolatina.com.co>, ctladdr=<rbraym@eurolatina.com.co> (502/504), delay=00:00:11, xdelay=00:00:00, mailer=local, pri=160702, dsn=2.0.0, stat=Sent

The infected message is from rbraym@eurolatina.com.co to the same address. As you can see, MailScanner starts checking the mail, but f-prot doesn't find the virus..

I can see that it's detecting other viruses, but not this one.. see this:

Aug  3 11:28:10 master MailScanner[7115]: Virus and Content Scanning: Starting
Aug  3 11:28:10 master MailScanner[7115]: /var/spool/MailScanner/incoming/7115/i73GRtD2011408/New_MP3_Player.scr  Infection: W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found virus W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found 1 infections
Aug  3 11:28:10 master MailScanner[7115]: Infected message i73GRtD2011408 came from 200.69.126.21
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: Found 1 viruses
Aug  3 11:28:10 master MailScanner[7115]: Filename Checks: Possible virus hidden in a screensaver (i73GRtD2011408 New_MP3_Player.scr)
Aug  3 11:28:10 master MailScanner[7115]: Other Checks: Found 1 problems
Aug  3 11:28:10 master MailScanner[7115]: Saved infected "New_MP3_Player.scr" to /var/spool/MailScanner/quarantine/20040803/i73GRtD2011408

So, what could it be??
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11711490
Are you sure that the copy of F-Prot that MailScanner is using has the current sigs?
0
 

Author Comment

by:rbraym
ID: 11715935
Yes.. as i said above, i transfered the infected .eml file to the server and then i ran f-prot to check this file and it detected the virus, but not in incoming mails.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 11716810
I'd suggest that you check what copy of F-Prot MailScanner is using by looking at the last field of the MailScanner etc/virus.scanners.conf (default is /usr/local/f-prot). Then scan the file the way MailScanner would by invoking lib/f-prot-wrapper <path-from-virus.scanners.conf> test-file.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question