F-Prot Issues

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
Webthinking
Posts: 3
Joined: Sun Jan 29, 2012 10:26 pm

F-Prot Issues

Post by Webthinking » Fri Jul 15, 2016 3:16 am

Hi,

We're having trouble with our F-Prot integration in Mail Enable 8.61 in that sometimes it works and sometimes it doesn't. It's not working at the moment and this means it won't catch any viruses, other than the test Eicar one. The exact same configuration was working until about 5pm, yesterday, after which no more viruses have been caught. F-Prot's resident shield is turned off, so there's no conflict there.

As part of my lengthy investigations into this ongoing issue, I ran the MTA in debug mode and read through some of the output. Whilst F-Prot seems to scan clean attachments, when a known virus comes along (I can tell by the name of the attachment), the scan doesn't seem to be initiated. In the debug output, Mail Enable logs "Skipping encoded attachment" in the place where the scan activity should be. What does this mean? I can see it's been mentioned on a handful of occasions in the past, but there are no definitive answers. Why is Mail Enable seemingly not firing up F-Prot for these attachments?

Thanks

Mark

keith@vfsremote.com
Posts: 25
Joined: Fri Mar 20, 2015 7:53 pm

Re: F-Prot Issues

Post by keith@vfsremote.com » Fri Sep 23, 2016 10:31 pm

Thank God someone else is having issues with F-Prot on the same version of MailEnable as me.

Today i logged onto one of my Mail Vms in our cluster and noticed an unexpected shutdown notice. After digging through the event logs it looks as though F-Prot started consuming way too many resources due to an attachment Filering Rule in MailEnable suddenly choosing not to fire and getting several viral messages per second. Filters choosing not to work sporadically has been a consistent headache I have had with MailEnable for the past 2 years. It never truly gets resolved, I usually turn services on and off disable filters and re-enable and randomly it will work again with exactly the same settings as before.

I'm not sure which came first, but it would appear as though MailEnable and F-Prot are no longer working together nicely in my environment. I see gaps in my MEAVGEN logs over the past week on both of my clustered Mail Nodes example below

Code: Select all

Time	Action	MessageID	Connector	Filter	Result	Account	Sender	ClientIP
09/17/16 09:54:27	Start	-	-	-	-	-	-	-
09/17/16 09:54:27	Cleaned	DBF321BAAE164DECBAFDBA54F775B2F9.MAI	SMTP	MTAFILTER	1		94.186.192.205
09/19/16 07:39:02	End	-	-	-	-	-	-	-
Then on the 19th I see it working perfectly again

Code: Select all

09/19/16 07:39:02	Cleaned	720776B1507B4007B831B298EC9CB1BE.MAI	SMTP	MTAFILTER	1		208.70.91.23
09/19/16 08:39:19	Cleaned	D8B0CF08AC304C7ABD6F9BF39E0FAF51.MAI	SMTP	MTAFILTER	1	paypal@secure.net	94.186.192.206
09/19/16 09:48:45	Cleaned	3DD69F31C2014A55947157614D79A424.MAI	SF	MTAFILTER	1		SALES9@arrowstravel.com	208.70.88.1
09/19/16 09:48:59	Cleaned	2E311437B80E40FC9F80401468572D93.MAI	SF	MTAFILTER	1		SALES09@jordantours-france.com	208.70.88.1
09/19/16 09:49:07	Cleaned	8E3C29E327D64676B824F40379DD4AAE.MAI	SF	MTAFILTER	1	SALES9@cadelectric.ro	208.70.88.1
09/19/16 09:49:11	Cleaned	123C7B796E0147C2867EF4D09F60DDDA.MAI	SMTP	MTAFILTER	1		94.186.192.203
09/19/16 09:49:26	Cleaned	5BCC16C6A8C04D039E4253C64F9006A0.MAI	SMTP	MTAFILTER	1		SALES398@turnthepagebooks.com	208.70.88.1
09/19/16 09:50:00	Cleaned	E457685A45F0470FB633505831F781C2.MAI	SMTP	MTAFILTER	1		SALES794@veahome.com	208.70.88.1
09/19/16 09:51:58	Cleaned	8D3F81A7EC5840B6A6F9128D03EF5D82.MAI	SMTP	MTAFILTER	1		SALES8@lttcorp.com	208.70.88.1
09/19/16 09:55:01	Cleaned	5828F58390DB4653A275335CC9EBB22B.MAI	SMTP	MTAFILTER	1		SALES1@beatdiz.com.br	94.186.192.200
09/19/16 09:55:57	Cleaned	4BFFC9A751204B728ED4639EC557F3D8.MAI	SMTP	MTAFILTER	1	SALES713@johnmacconnell.com	208.70.88.1
09/19/16 09:59:59	Cleaned	E8F8F6A31A74463682B494E47CC3ACF7.MAI	SMTP	MTAFILTER	1		SALES33@fwr.it	208.70.88.1
09/19/16 10:02:25	Cleaned	599D5ADA12E347D796EDA6318BF3E643.MAI	SMTP	MTAFILTER	1	SALES0@tonitelife.com	208.70.88.1
09/19/16 10:06:05	Cleaned	3113438439484D2E872D67249B71DE8D.MAI	SMTP	MTAFILTER	1	SALES20@gsavary.net	208.70.88.1
09/19/16 10:12:42	Cleaned	FCE1812022834D998C44F0F682A674E4.MAI	SMTP	MTAFILTER	1		SALES73@tnma.co.za	208.70.88.1
09/19/16 10:19:06	Cleaned	4BE672F4D937429584A26C91500328AA.MAI	SMTP	MTAFILTER	1	SALES68@gracelutherville.org	208.70.88.1
09/19/16 10:19:09	Cleaned	0C77C17433B04EBFA99CC600C36C5C1D.MAI	SMTP	MTAFILTER	1		SALES62@parthe.com	94.186.192.205
09/19/16 10:19:50	Cleaned	0CF862A388EF4251BF85582494B87054.MAI	SMTP	MTAFILTER	1		SALES0@martinemail.us	208.70.88.1
09/19/16 10:25:34	Cleaned	A442E9468B7A4D9C9241528C3015315B.MAI	SMTP	MTAFILTER	1		SALES84@raptureforums.com	208.70.88.1
09/19/16 10:25:36	Cleaned	9027502A1788474A8A7C32DC9A91B706.MAI	SMTP	MTAFILTER	1		SALES850@uselessfacts.net	208.70.88.1
09/19/16 10:27:14	Cleaned	95EE3B76646641EE8E15C474FBCD2C60.MAI	SMTP	MTAFILTER	1		SALES33@nietubicz.com	208.70.88.1
09/19/16 10:28:05	Cleaned	7CACC925043945B886971940A7E41F1D.MAI	SMTP	MTAFILTER	1	SALES569@ankaratb.org.tr	208.70.88.1
09/19/16 10:30:27	Cleaned	337D75E908C34B06B7998B4C5E15326C.MAI	SMTP	MTAFILTER	1	SALES54@wikileakssupportersforum.com	208.70.88.1
09/19/16 10:30:30	Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\FRISK Software\F-PROT Antivirus for Windows\fpscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\F3F9F7~1.MAI\2.ATT" /report /archive=5) took too long and was terminated
09/19/16 10:31:34	Cleaned	2B8D3A261104453482DCD369E8FA329B.MAI	SF	MTAFILTER	1		SALES2@anthonyneff.com	208.70.88.1
09/19/16 10:32:05	Cleaned	6E5047948C0D48FDA22C5CDB83240933.MAI	SMTP	MTAFILTER	1		SALES06@gbiru.ru	208.70.88.1
09/19/16 10:37:26	Cleaned	37C8EB174E7542F2B86DCEBD955A70A5.MAI	SMTP	MTAFILTER	1		SALES24@orbiswireless.com	208.70.88.1
09/19/16 10:39:44	Cleaned	6D603A8F851C4B29814C91C22777D6A1.MAI	SMTP	MTAFILTER	1		SALES846@yokotranslation.com	208.70.88.1
09/19/16 10:42:52	Cleaned	70B34396866D42EAA5B0F4EF330930EF.MAI	SMTP	MTAFILTER	1		SALES493@bebesilaw.hu	208.70.88.1
09/19/16 10:49:15	Cleaned	D1056AC18D274576808B3FB43B0933EB.MAI	SF	MTAFILTER	1		SALES18@bicicletaria.com.br	208.70.88.1
09/19/16 10:49:15	Cleaned	897E767DDA234316B720954CF089F1AB.MAI	SMTP	MTAFILTER	1		SALES43@venanpecas.com.br	208.70.88.1
09/19/16 10:51:37	Cleaned	62E004EEA3824A17AD4A0D1C35B6AB99.MAI	SMTP	MTAFILTER	1		SALES595@ttatva.com	208.70.88.1
09/19/16 10:52:21	Cleaned	B0CB9F7CBCBE434F8DDF5A5B7D86F39E.MAI	SMTP	MTAFILTER	1	SALES29@twguaimbe.org	208.70.88.1
09/19/16 10:52:25	Cleaned	753FF35CA2E44862B8A9B6B8643F754F.MAI	SMTP	MTAFILTER	1		SALES02@sdbua.net	208.70.88.1
09/19/16 10:54:19	Cleaned	63155BFF313448EBAF730EDA281E726A.MAI	SMTP	MTAFILTER	1		SALES9@venuespn.co.nz	208.70.88.1
09/19/16 10:56:22	Cleaned	913D52573A894AEC8EEAB47A977F10C8.MAI	SMTP	MTAFILTER	1	SALES795@esssys.com	208.70.88.1
09/19/16 11:02:59	Cleaned	FD06D0B2DDA742B1BC5C011C3884FF29.MAI	SMTP	MTAFILTER	1	SALES72@thepropertyguru.co.za	208.70.88.1
09/19/16 11:04:09	Cleaned	79843E325483420EAE5F3A7E73815E54.MAI	SMTP	MTAFILTER	1			SALES1@anmlangls.org	208.70.88.1
09/19/16 11:07:07	Cleaned	30ACFE6282414504B2B31B4D34783AFF.MAI	SMTP	MTAFILTER	1		SALES102@nzdesigns.biz	208.70.88.1
09/19/16 11:07:24	Cleaned	ABACDFCB8A18474C878C8638A039CBEE.MAI	SMTP	MTAFILTER	1	pacificcoastmarketing.org	SALES7@placorinc.com	208.70.88.1
09/19/16 11:10:55	Cleaned	FFA438B8D44C420689DF64AE94B79BE0.MAI	SF	MTAFILTER	1		SALES04@fostersplace.com	208.70.88.1
09/19/16 11:12:03	Cleaned	F44AAD15979E45908B8626A3323A67E4.MAI	SMTP	MTAFILTER	1		SALES3@optimalclix.com	208.70.88.1
09/19/16 11:13:09	Cleaned	6CF71AFCA6994D31B420DD329B2441B8.MAI	SMTP	MTAFILTER	1		SALES3@ectb-ingenierie.fr	208.70.88.1
09/19/16 11:22:07	Cleaned	7671CF1466C34832BA4929AFE2495933.MAI	SMTP	MTAFILTER	1		SALES4@zekiler.com	208.70.88.1
09/19/16 11:24:16	Cleaned	9EF481A8AEB549B3B62D220DF28C6369.MAI	SF	MTAFILTER	1		SALES341@archeologica.ch	208.70.88.1
09/19/16 11:27:32	Cleaned	03FC542E98D649C791CC424FED4FBBFD.MAI	SMTP	MTAFILTER	1		SALES99@autopiramide.pt	208.70.88.1
09/19/16 11:29:14	Cleaned	9A308E9690024239A0D51AA6A44B4EC5.MAI	SMTP	MTAFILTER	1		SALES632@robertsyasoc.com	208.70.88.1
09/19/16 11:30:33	Cleaned	69B2CEFE3C1648FE888300A347DA1DAC.MAI	SMTP	MTAFILTER	1		SALES613@wohlenberg.ru	208.70.88.1
09/19/16 11:30:59	Cleaned	9EE16204C81242B48949FDF68C3865C2.MAI	SMTP	MTAFILTER	1		SALES91@arkana.ru	208.70.88.1
09/19/16 11:31:36	Cleaned	CE31D0E2590343FA84F0F91F1B643386.MAI	SMTP	MTAFILTER	1		SALES471@bestintactics.com	208.70.88.1
09/19/16 11:38:54	Cleaned	811659BD3D834ED2BEEF6047C262986D.MAI	SMTP	MTAFILTER	1		SALES89@nnacijc.org	94.186.192.206
09/19/16 11:39:09	Cleaned	74ABB6CF9F1443D28E2E67E3E49E084E.MAI	SMTP	MTAFILTER	1		SALES8@virtualpages.com	208.70.88.1
09/19/16 11:41:52	Cleaned	BEB5A9997DA14145B299CC879DDE6841.MAI	SMTP	MTAFILTER	1		SALES5@woonhuisstyliste.nl	208.70.88.1
09/19/16 11:42:51	Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\FRISK Software\F-PROT Antivirus for Windows\fpscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\1D574A~1.MAI\1.ATT" /report /archive=5) took too long and was terminated
09/19/16 11:47:51	Cleaned	4F0C5F056E764F2CABE0D8AF4CC2E67D.MAI	SF	MTAFILTER	1		SALES61@ates-insaat.com	208.70.88.1
09/19/16 11:49:28	Cleaned	1C85660CC7B849A8912DEAF8A5159BEC.MAI	SMTP	MTAFILTER	1		SALES6@gdp.net.vn	208.70.88.1
09/19/16 11:50:53	Cleaned	F16824B54C4A4AA285D41BAB21022AAD.MAI	SMTP	MTAFILTER	1		SALES13@rasterkonsulten.se	208.70.88.1
09/19/16 11:53:28	Cleaned	5762E0AA3CC14F479A0291813A9E8D40.MAI	SMTP	MTAFILTER	1		SALES9@bmacsolar.com	208.70.88.1
09/19/16 11:55:00	Cleaned	8DE215891B0749FCAD50A2B25A451525.MAI	SF	MTAFILTER	1		SALES4@wega-astro.be	94.186.192.205
09/19/16 11:58:23	Cleaned	ACB4AB98A6CE482BB13F838B8B4FCD2E.MAI	SMTP	MTAFILTER	1		SALES261@bsservicios.com	208.70.88.1
09/19/16 11:58:47	Cleaned	D6A4C06685684ADEAF4C6C93487BFFFF.MAI	SMTP	MTAFILTER	1		SALES1@taxivan.mx	208.70.88.1
09/19/16 11:59:42	Cleaned	89F2E185F3EA4F659C3306FFC48BD808.MAI	SMTP	MTAFILTER	1		SALES4@hasten.com.br	208.70.88.1
09/19/16 12:00:01	Cleaned	1103AE10EDA34178A7DE0A72DBA2B466.MAI	SMTP	MTAFILTER	1		SALES3@taylorsyfan.com	208.70.88.1
09/19/16 12:03:56	Cleaned	350D52E437434D10B0D40427B01E6F85.MAI	SMTP	MTAFILTER	1	SALES26@smithsshoecenter.com	208.70.88.1
09/19/16 12:04:32	Cleaned	F81334158D37411DB3B23760AD1BCE67.MAI	SF	MTAFILTER	1		SALES0@philippinetours.com.au	208.70.88.1
Then on the 20th it stopped working again

Code: Select all

09/20/16 08:59:04	Start	-	-	-	-	-	-	-
09/20/16 08:59:04	Cleaned	A2C7733FAD11473F89E39BD52D970ABD.MAI	SMTP	MTAFILTER	1		POSTMASTER@myvfmail.com	208.70.91.142
09/20/16 10:10:25	Cleaned	65397EC75CB8429D9EB80D5315A221AF.MAI	SMTP	MTAFILTER	1		POSTMASTER@myvfmail.com	208.70.88.1
09/21/16 09:39:50	End	-	-	-	-	-	-	-

Today message filter logs simply aren't showing the Mailenable VIRUS Filter Rule being executed at all. I go to the MTAFILTER-report from a few days ago and it was firing pretty regularly, I could see it being applied to messages.

Today's MEAVGEN report shows

Code: Select all

09/23/16 16:24:46	->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\00408FDD98764BE2B63DAD284DEE2B58.MAI (Error: 5)
09/23/16 16:24:52	->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\1.ATT (Error: 5)
09/23/16 16:24:58	->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\2.ATT (Error: 5)
09/23/16 16:25:04	->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\3.ATT (Error: 5)
09/23/16 16:25:04	->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI (Error: 2)
I go to Servers > localhost > Extensions > Message Filter > MailEnable Antivirus filter and it is enabled. I click into properties and F-Prot version 6 is enabled. I click test settings and it returns

Code: Select all

F-PROT Antivirus CLS version 6.7.5.5955, 32bit (built: 2011-10-03T19-58-16)


FRISK Software International (C) Copyright 1989-2011
Engine version:   4.6.5.141
Arguments:        C:\PROGRA~2\MAILEN~1\Scratch\EICAR.ZIP /report /archive=5 
Virus signatures: 201609231936
                  (C:\ProgramData\FRISK Software\F-PROT Antivirus for Windows\antivir.def)

[Error] <Can not open file: No such file or directory>	C:\PROGRA~2\MAILEN~1\Scratch\EICAR.ZIP


Results:

Files: 1
Skipped files: 1
MBR/boot sectors checked: 0
Objects scanned: 0
Infected objects: 0
Infected files: 0
Files with errors: 0
Disinfected: 0

Running time: 00:01
At the same time F-Prot pops up with a notification with "DESCRIPTION File Not Found FILENAME EICAR.ZIP STATUS removed". So I come to the conclusion that real time scanning must be picking it up and FPROT is deleting it before mailenable can do anything. Ok, then lets add a folder exclusion to F-Prot, this shouldn't be a problem as I would assume this only excludes real-time scanning and not the individual calls for fpscan.exe. So I exclude the scratch folder then test. The test passes. I restart MailEnable Services and wait. The MTAFilterReport is still not showing the rule being executed on at all and I am still getting the below in the MEAVGEN report

Code: Select all

09/23/16 16:33:57	->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\83A782E23A2E44A3B9661CA2EDBB41B0.MAI\83A782E23A2E44A3B9661CA2EDBB41B0.MAI (Error: 5)
09/23/16 16:33:57	->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\83A782E23A2E44A3B9661CA2EDBB41B0.MAI (Error: 2)
09/23/16 16:36:03	->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\F5B572001B0E43029BB33D6F44FF06D0.MAI\F5B572001B0E43029BB33D6F44FF06D0.MAI (Error: 5)
09/23/16 16:36:03	->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\F5B572001B0E43029BB33D6F44FF06D0.MAI (Error: 2)
09/23/16 16:43:22	->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\91315568D2A940B2BAC9BC416EBE8B5D.MAI\91315568D2A940B2BAC9BC416EBE8B5D.MAI (Error: 5)
09/23/16 16:43:22	->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\91315568D2A940B2BAC9BC416EBE8B5D.MAI (Error: 2)
So I figure well maybe the exclusion is being applied to fpscan.exe, Mailenable is asking for a return code and isn't getting one or is getting a clean status due to the directory being excluded.... so I remove the exclusions and turn off real time protection completely. I go through the whole process of testing the MailEnable Antivirus filter properties and it passes. Now I restart and wait again. Still the same results. In fact, now the MEAVGEN report isn't even logging anymore, last update was over 40 minutes ago.

So your probably thinking, "Ok well we need to eliminate 3rd party pickup events." We have 7 Mailenable filters, the first using mailenable to specify certain headers to not be filtered. the second is using criteria script to stop filtering on certain domains, the third using criteria script to stop filtering on certain mailboxes, the fourth takes attachments we don't allow, copies message quarantine and deletes, the 5th is the Virus Rule that copies message to quarantine and deletes, the 6th is a rule that says if a message is larger than 712000 stop processing filters, and the 7th is rule that checks against spam assassin, then copies to quarantine and deletes. I have tried disabling these all except for the virus rule to no avail.

I would appreciate any input anyone can give on these issues

Thank You,

Keith Damron

VisionFriendly.com
Keith Damron
Manager of Customer Support

VisionFriendly.com
1245 E. Diehl Road, Suite 307
Naperville, IL 60563
630 553-0000 x112
Keith@visionfriendly.com

Post Reply