Solved

Problem with f-prot

Posted on 2004-08-03
9
368 Views
Last Modified: 2010-03-18
Hi experts..

I have a server running with MailScanner and F-Prot antivirus.. recently i've been received so many mails with W32.Mydoom.M@mm as an attachment file, even when f-prot updates every day....

What can it be??.. what can i do so i can stop this virus??..

Thanx
0
Comment
Question by:rbraym
  • 3
  • 2
  • 2
9 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11706391
first of all. you need to check antivirus updates every HOUR. not every DAY.
others

read the headers of the messages, maybe your mailscanner is no working good

run mailscanner in console mode to test if really working only type mailscanner in the prompt of your console

Clamav is the free option to antivirus. i tested and is really great.
0
 

Author Comment

by:rbraym
ID: 11706551
i made a test with an infected .eml fille ( f-prot detects it as MyDoom.O but my symantec antivirus detects it as MyDoom.m). I transfered it via FTP to the server and then run f-prot to scan it.. it found the virus!!.. so what can be wrong??

What should i do??.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11706604
i think mailscanner is not intercapt your mails.

check with ps -ef if mailscanner is up and running

after thant you can sent email to the server and ckech with ps -ef is mailscanner UP and check the mail

check in the /var/log/maillog if mailscanner put the messages in a quotat on /var/spool/mail/mqueue.in

and with mailscanner you can have more than 1 scanner engine.

try clamav is a free software project.

:)
0
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

 

Author Comment

by:rbraym
ID: 11706709
here's my server log:

Aug  3 11:25:36 master sendmail[11125]: i73GPa74011125: from=<rbraym@eurolatina.com.co>, size=40702, class=0, nrcpts=1, msgid=<015a01c47977$5d987c40$0d65f53f@euronetadmin>, proto=SMTP, daemon=MTA, relay=[63.245.101.13]
Aug  3 11:25:37 master MailScanner[6930]: New Batch: Scanning 1 messages, 41185 bytes
Aug  3 11:25:37 master ipop3d[11112]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=1
Aug  3 11:25:37 master MailScanner[6930]: Spam Checks: Starting
Aug  3 11:25:39 master ipop3d[11127]: pop3 service init from 63.245.85.178
Aug  3 11:25:40 master ipop3d[11127]: Login user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0/0
Aug  3 11:25:42 master ipop3d[11127]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=0
Aug  3 11:25:46 master MailScanner[6930]: Virus and Content Scanning: Starting
Aug  3 11:25:46 master MailScanner[6930]: Uninfected: Delivered 1 messages
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/key.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cacert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client, error: load verify locs /etc/mail/certs, /etc/mail/certs/cacert.pem failed: 0
Aug  3 11:25:47 master sendmail[11138]: i73GPa74011125: to=<rbraym@eurolatina.com.co>, ctladdr=<rbraym@eurolatina.com.co> (502/504), delay=00:00:11, xdelay=00:00:00, mailer=local, pri=160702, dsn=2.0.0, stat=Sent

The infected message is from rbraym@eurolatina.com.co to the same address. As you can see, MailScanner starts checking the mail, but f-prot doesn't find the virus..

I can see that it's detecting other viruses, but not this one.. see this:

Aug  3 11:28:10 master MailScanner[7115]: Virus and Content Scanning: Starting
Aug  3 11:28:10 master MailScanner[7115]: /var/spool/MailScanner/incoming/7115/i73GRtD2011408/New_MP3_Player.scr  Infection: W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found virus W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found 1 infections
Aug  3 11:28:10 master MailScanner[7115]: Infected message i73GRtD2011408 came from 200.69.126.21
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: Found 1 viruses
Aug  3 11:28:10 master MailScanner[7115]: Filename Checks: Possible virus hidden in a screensaver (i73GRtD2011408 New_MP3_Player.scr)
Aug  3 11:28:10 master MailScanner[7115]: Other Checks: Found 1 problems
Aug  3 11:28:10 master MailScanner[7115]: Saved infected "New_MP3_Player.scr" to /var/spool/MailScanner/quarantine/20040803/i73GRtD2011408

So, what could it be??
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11711490
Are you sure that the copy of F-Prot that MailScanner is using has the current sigs?
0
 

Author Comment

by:rbraym
ID: 11715935
Yes.. as i said above, i transfered the infected .eml file to the server and then i ran f-prot to check this file and it detected the virus, but not in incoming mails.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 11716810
I'd suggest that you check what copy of F-Prot MailScanner is using by looking at the last field of the MailScanner etc/virus.scanners.conf (default is /usr/local/f-prot). Then scan the file the way MailScanner would by invoking lib/f-prot-wrapper <path-from-virus.scanners.conf> test-file.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux Mailserver setup & redundancy 2 83
dns master and slave in linux 2 75
Computers missing from Windows Explorer Networks 10 158
ifconfig 4 94
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question