Solved

Problem with f-prot

Posted on 2004-08-03
9
346 Views
Last Modified: 2010-03-18
Hi experts..

I have a server running with MailScanner and F-Prot antivirus.. recently i've been received so many mails with W32.Mydoom.M@mm as an attachment file, even when f-prot updates every day....

What can it be??.. what can i do so i can stop this virus??..

Thanx
0
Comment
Question by:rbraym
  • 3
  • 2
  • 2
9 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11706391
first of all. you need to check antivirus updates every HOUR. not every DAY.
others

read the headers of the messages, maybe your mailscanner is no working good

run mailscanner in console mode to test if really working only type mailscanner in the prompt of your console

Clamav is the free option to antivirus. i tested and is really great.
0
 

Author Comment

by:rbraym
ID: 11706551
i made a test with an infected .eml fille ( f-prot detects it as MyDoom.O but my symantec antivirus detects it as MyDoom.m). I transfered it via FTP to the server and then run f-prot to scan it.. it found the virus!!.. so what can be wrong??

What should i do??.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11706604
i think mailscanner is not intercapt your mails.

check with ps -ef if mailscanner is up and running

after thant you can sent email to the server and ckech with ps -ef is mailscanner UP and check the mail

check in the /var/log/maillog if mailscanner put the messages in a quotat on /var/spool/mail/mqueue.in

and with mailscanner you can have more than 1 scanner engine.

try clamav is a free software project.

:)
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:rbraym
ID: 11706709
here's my server log:

Aug  3 11:25:36 master sendmail[11125]: i73GPa74011125: from=<rbraym@eurolatina.com.co>, size=40702, class=0, nrcpts=1, msgid=<015a01c47977$5d987c40$0d65f53f@euronetadmin>, proto=SMTP, daemon=MTA, relay=[63.245.101.13]
Aug  3 11:25:37 master MailScanner[6930]: New Batch: Scanning 1 messages, 41185 bytes
Aug  3 11:25:37 master ipop3d[11112]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=1
Aug  3 11:25:37 master MailScanner[6930]: Spam Checks: Starting
Aug  3 11:25:39 master ipop3d[11127]: pop3 service init from 63.245.85.178
Aug  3 11:25:40 master ipop3d[11127]: Login user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0/0
Aug  3 11:25:42 master ipop3d[11127]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=0
Aug  3 11:25:46 master MailScanner[6930]: Virus and Content Scanning: Starting
Aug  3 11:25:46 master MailScanner[6930]: Uninfected: Delivered 1 messages
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/key.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cacert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client, error: load verify locs /etc/mail/certs, /etc/mail/certs/cacert.pem failed: 0
Aug  3 11:25:47 master sendmail[11138]: i73GPa74011125: to=<rbraym@eurolatina.com.co>, ctladdr=<rbraym@eurolatina.com.co> (502/504), delay=00:00:11, xdelay=00:00:00, mailer=local, pri=160702, dsn=2.0.0, stat=Sent

The infected message is from rbraym@eurolatina.com.co to the same address. As you can see, MailScanner starts checking the mail, but f-prot doesn't find the virus..

I can see that it's detecting other viruses, but not this one.. see this:

Aug  3 11:28:10 master MailScanner[7115]: Virus and Content Scanning: Starting
Aug  3 11:28:10 master MailScanner[7115]: /var/spool/MailScanner/incoming/7115/i73GRtD2011408/New_MP3_Player.scr  Infection: W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found virus W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found 1 infections
Aug  3 11:28:10 master MailScanner[7115]: Infected message i73GRtD2011408 came from 200.69.126.21
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: Found 1 viruses
Aug  3 11:28:10 master MailScanner[7115]: Filename Checks: Possible virus hidden in a screensaver (i73GRtD2011408 New_MP3_Player.scr)
Aug  3 11:28:10 master MailScanner[7115]: Other Checks: Found 1 problems
Aug  3 11:28:10 master MailScanner[7115]: Saved infected "New_MP3_Player.scr" to /var/spool/MailScanner/quarantine/20040803/i73GRtD2011408

So, what could it be??
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11711490
Are you sure that the copy of F-Prot that MailScanner is using has the current sigs?
0
 

Author Comment

by:rbraym
ID: 11715935
Yes.. as i said above, i transfered the infected .eml file to the server and then i ran f-prot to check this file and it detected the virus, but not in incoming mails.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 11716810
I'd suggest that you check what copy of F-Prot MailScanner is using by looking at the last field of the MailScanner etc/virus.scanners.conf (default is /usr/local/f-prot). Then scan the file the way MailScanner would by invoking lib/f-prot-wrapper <path-from-virus.scanners.conf> test-file.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WEBSITE Capture via Linux Router 2 88
Prevent login on dead linux home directories 3 82
linux dns for internal resolve 2 54
Virtual Firewall to Filter DHCP Traffic? 23 77
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now