Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 394
  • Last Modified:

Problem with f-prot

Hi experts..

I have a server running with MailScanner and F-Prot antivirus.. recently i've been received so many mails with W32.Mydoom.M@mm as an attachment file, even when f-prot updates every day....

What can it be??.. what can i do so i can stop this virus??..

Thanx
0
rbraym
Asked:
rbraym
  • 3
  • 2
  • 2
1 Solution
 
pablouruguayCommented:
first of all. you need to check antivirus updates every HOUR. not every DAY.
others

read the headers of the messages, maybe your mailscanner is no working good

run mailscanner in console mode to test if really working only type mailscanner in the prompt of your console

Clamav is the free option to antivirus. i tested and is really great.
0
 
rbraymAuthor Commented:
i made a test with an infected .eml fille ( f-prot detects it as MyDoom.O but my symantec antivirus detects it as MyDoom.m). I transfered it via FTP to the server and then run f-prot to scan it.. it found the virus!!.. so what can be wrong??

What should i do??.
0
 
pablouruguayCommented:
i think mailscanner is not intercapt your mails.

check with ps -ef if mailscanner is up and running

after thant you can sent email to the server and ckech with ps -ef is mailscanner UP and check the mail

check in the /var/log/maillog if mailscanner put the messages in a quotat on /var/spool/mail/mqueue.in

and with mailscanner you can have more than 1 scanner engine.

try clamav is a free software project.

:)
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
rbraymAuthor Commented:
here's my server log:

Aug  3 11:25:36 master sendmail[11125]: i73GPa74011125: from=<rbraym@eurolatina.com.co>, size=40702, class=0, nrcpts=1, msgid=<015a01c47977$5d987c40$0d65f53f@euronetadmin>, proto=SMTP, daemon=MTA, relay=[63.245.101.13]
Aug  3 11:25:37 master MailScanner[6930]: New Batch: Scanning 1 messages, 41185 bytes
Aug  3 11:25:37 master ipop3d[11112]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=1
Aug  3 11:25:37 master MailScanner[6930]: Spam Checks: Starting
Aug  3 11:25:39 master ipop3d[11127]: pop3 service init from 63.245.85.178
Aug  3 11:25:40 master ipop3d[11127]: Login user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0/0
Aug  3 11:25:42 master ipop3d[11127]: Logout user=a.gonzalez host=esierra.eurolatina.com.co [63.245.85.178] nmsgs=0 ndele=0
Aug  3 11:25:46 master MailScanner[6930]: Virus and Content Scanning: Starting
Aug  3 11:25:46 master MailScanner[6930]: Uninfected: Delivered 1 messages
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/key.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client: file /etc/mail/certs/cacert.pem unsafe: No such file or directory
Aug  3 11:25:46 master sendmail[11136]: STARTTLS=client, error: load verify locs /etc/mail/certs, /etc/mail/certs/cacert.pem failed: 0
Aug  3 11:25:47 master sendmail[11138]: i73GPa74011125: to=<rbraym@eurolatina.com.co>, ctladdr=<rbraym@eurolatina.com.co> (502/504), delay=00:00:11, xdelay=00:00:00, mailer=local, pri=160702, dsn=2.0.0, stat=Sent

The infected message is from rbraym@eurolatina.com.co to the same address. As you can see, MailScanner starts checking the mail, but f-prot doesn't find the virus..

I can see that it's detecting other viruses, but not this one.. see this:

Aug  3 11:28:10 master MailScanner[7115]: Virus and Content Scanning: Starting
Aug  3 11:28:10 master MailScanner[7115]: /var/spool/MailScanner/incoming/7115/i73GRtD2011408/New_MP3_Player.scr  Infection: W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found virus W32/Bagle.AI@mm
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: F-Prot found 1 infections
Aug  3 11:28:10 master MailScanner[7115]: Infected message i73GRtD2011408 came from 200.69.126.21
Aug  3 11:28:10 master MailScanner[7115]: Virus Scanning: Found 1 viruses
Aug  3 11:28:10 master MailScanner[7115]: Filename Checks: Possible virus hidden in a screensaver (i73GRtD2011408 New_MP3_Player.scr)
Aug  3 11:28:10 master MailScanner[7115]: Other Checks: Found 1 problems
Aug  3 11:28:10 master MailScanner[7115]: Saved infected "New_MP3_Player.scr" to /var/spool/MailScanner/quarantine/20040803/i73GRtD2011408

So, what could it be??
0
 
jlevieCommented:
Are you sure that the copy of F-Prot that MailScanner is using has the current sigs?
0
 
rbraymAuthor Commented:
Yes.. as i said above, i transfered the infected .eml file to the server and then i ran f-prot to check this file and it detected the virus, but not in incoming mails.
0
 
jlevieCommented:
I'd suggest that you check what copy of F-Prot MailScanner is using by looking at the last field of the MailScanner etc/virus.scanners.conf (default is /usr/local/f-prot). Then scan the file the way MailScanner would by invoking lib/f-prot-wrapper <path-from-virus.scanners.conf> test-file.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now