Hi,
We're having trouble with our F-Prot integration in Mail Enable 8.61 in that sometimes it works and sometimes it doesn't. It's not working at the moment and this means it won't catch any viruses, other than the test Eicar one. The exact same configuration was working until about 5pm, yesterday, after which no more viruses have been caught. F-Prot's resident shield is turned off, so there's no conflict there.
As part of my lengthy investigations into this ongoing issue, I ran the MTA in debug mode and read through some of the output. Whilst F-Prot seems to scan clean attachments, when a known virus comes along (I can tell by the name of the attachment), the scan doesn't seem to be initiated. In the debug output, Mail Enable logs "Skipping encoded attachment" in the place where the scan activity should be. What does this mean? I can see it's been mentioned on a handful of occasions in the past, but there are no definitive answers. Why is Mail Enable seemingly not firing up F-Prot for these attachments?
Thanks
Mark
F-Prot Issues
-
- Posts: 25
- Joined: Fri Mar 20, 2015 7:53 pm
Re: F-Prot Issues
Thank God someone else is having issues with F-Prot on the same version of MailEnable as me.
Today i logged onto one of my Mail Vms in our cluster and noticed an unexpected shutdown notice. After digging through the event logs it looks as though F-Prot started consuming way too many resources due to an attachment Filering Rule in MailEnable suddenly choosing not to fire and getting several viral messages per second. Filters choosing not to work sporadically has been a consistent headache I have had with MailEnable for the past 2 years. It never truly gets resolved, I usually turn services on and off disable filters and re-enable and randomly it will work again with exactly the same settings as before.
I'm not sure which came first, but it would appear as though MailEnable and F-Prot are no longer working together nicely in my environment. I see gaps in my MEAVGEN logs over the past week on both of my clustered Mail Nodes example below
Then on the 19th I see it working perfectly again
Then on the 20th it stopped working again
Today message filter logs simply aren't showing the Mailenable VIRUS Filter Rule being executed at all. I go to the MTAFILTER-report from a few days ago and it was firing pretty regularly, I could see it being applied to messages.
Today's MEAVGEN report shows
I go to Servers > localhost > Extensions > Message Filter > MailEnable Antivirus filter and it is enabled. I click into properties and F-Prot version 6 is enabled. I click test settings and it returns
At the same time F-Prot pops up with a notification with "DESCRIPTION File Not Found FILENAME EICAR.ZIP STATUS removed". So I come to the conclusion that real time scanning must be picking it up and FPROT is deleting it before mailenable can do anything. Ok, then lets add a folder exclusion to F-Prot, this shouldn't be a problem as I would assume this only excludes real-time scanning and not the individual calls for fpscan.exe. So I exclude the scratch folder then test. The test passes. I restart MailEnable Services and wait. The MTAFilterReport is still not showing the rule being executed on at all and I am still getting the below in the MEAVGEN report
So I figure well maybe the exclusion is being applied to fpscan.exe, Mailenable is asking for a return code and isn't getting one or is getting a clean status due to the directory being excluded.... so I remove the exclusions and turn off real time protection completely. I go through the whole process of testing the MailEnable Antivirus filter properties and it passes. Now I restart and wait again. Still the same results. In fact, now the MEAVGEN report isn't even logging anymore, last update was over 40 minutes ago.
So your probably thinking, "Ok well we need to eliminate 3rd party pickup events." We have 7 Mailenable filters, the first using mailenable to specify certain headers to not be filtered. the second is using criteria script to stop filtering on certain domains, the third using criteria script to stop filtering on certain mailboxes, the fourth takes attachments we don't allow, copies message quarantine and deletes, the 5th is the Virus Rule that copies message to quarantine and deletes, the 6th is a rule that says if a message is larger than 712000 stop processing filters, and the 7th is rule that checks against spam assassin, then copies to quarantine and deletes. I have tried disabling these all except for the virus rule to no avail.
I would appreciate any input anyone can give on these issues
Thank You,
Keith Damron
VisionFriendly.com
Today i logged onto one of my Mail Vms in our cluster and noticed an unexpected shutdown notice. After digging through the event logs it looks as though F-Prot started consuming way too many resources due to an attachment Filering Rule in MailEnable suddenly choosing not to fire and getting several viral messages per second. Filters choosing not to work sporadically has been a consistent headache I have had with MailEnable for the past 2 years. It never truly gets resolved, I usually turn services on and off disable filters and re-enable and randomly it will work again with exactly the same settings as before.
I'm not sure which came first, but it would appear as though MailEnable and F-Prot are no longer working together nicely in my environment. I see gaps in my MEAVGEN logs over the past week on both of my clustered Mail Nodes example below
Code: Select all
Time Action MessageID Connector Filter Result Account Sender ClientIP
09/17/16 09:54:27 Start - - - - - - -
09/17/16 09:54:27 Cleaned DBF321BAAE164DECBAFDBA54F775B2F9.MAI SMTP MTAFILTER 1 94.186.192.205
09/19/16 07:39:02 End - - - - - - -
Code: Select all
09/19/16 07:39:02 Cleaned 720776B1507B4007B831B298EC9CB1BE.MAI SMTP MTAFILTER 1 208.70.91.23
09/19/16 08:39:19 Cleaned D8B0CF08AC304C7ABD6F9BF39E0FAF51.MAI SMTP MTAFILTER 1 paypal@secure.net 94.186.192.206
09/19/16 09:48:45 Cleaned 3DD69F31C2014A55947157614D79A424.MAI SF MTAFILTER 1 SALES9@arrowstravel.com 208.70.88.1
09/19/16 09:48:59 Cleaned 2E311437B80E40FC9F80401468572D93.MAI SF MTAFILTER 1 SALES09@jordantours-france.com 208.70.88.1
09/19/16 09:49:07 Cleaned 8E3C29E327D64676B824F40379DD4AAE.MAI SF MTAFILTER 1 SALES9@cadelectric.ro 208.70.88.1
09/19/16 09:49:11 Cleaned 123C7B796E0147C2867EF4D09F60DDDA.MAI SMTP MTAFILTER 1 94.186.192.203
09/19/16 09:49:26 Cleaned 5BCC16C6A8C04D039E4253C64F9006A0.MAI SMTP MTAFILTER 1 SALES398@turnthepagebooks.com 208.70.88.1
09/19/16 09:50:00 Cleaned E457685A45F0470FB633505831F781C2.MAI SMTP MTAFILTER 1 SALES794@veahome.com 208.70.88.1
09/19/16 09:51:58 Cleaned 8D3F81A7EC5840B6A6F9128D03EF5D82.MAI SMTP MTAFILTER 1 SALES8@lttcorp.com 208.70.88.1
09/19/16 09:55:01 Cleaned 5828F58390DB4653A275335CC9EBB22B.MAI SMTP MTAFILTER 1 SALES1@beatdiz.com.br 94.186.192.200
09/19/16 09:55:57 Cleaned 4BFFC9A751204B728ED4639EC557F3D8.MAI SMTP MTAFILTER 1 SALES713@johnmacconnell.com 208.70.88.1
09/19/16 09:59:59 Cleaned E8F8F6A31A74463682B494E47CC3ACF7.MAI SMTP MTAFILTER 1 SALES33@fwr.it 208.70.88.1
09/19/16 10:02:25 Cleaned 599D5ADA12E347D796EDA6318BF3E643.MAI SMTP MTAFILTER 1 SALES0@tonitelife.com 208.70.88.1
09/19/16 10:06:05 Cleaned 3113438439484D2E872D67249B71DE8D.MAI SMTP MTAFILTER 1 SALES20@gsavary.net 208.70.88.1
09/19/16 10:12:42 Cleaned FCE1812022834D998C44F0F682A674E4.MAI SMTP MTAFILTER 1 SALES73@tnma.co.za 208.70.88.1
09/19/16 10:19:06 Cleaned 4BE672F4D937429584A26C91500328AA.MAI SMTP MTAFILTER 1 SALES68@gracelutherville.org 208.70.88.1
09/19/16 10:19:09 Cleaned 0C77C17433B04EBFA99CC600C36C5C1D.MAI SMTP MTAFILTER 1 SALES62@parthe.com 94.186.192.205
09/19/16 10:19:50 Cleaned 0CF862A388EF4251BF85582494B87054.MAI SMTP MTAFILTER 1 SALES0@martinemail.us 208.70.88.1
09/19/16 10:25:34 Cleaned A442E9468B7A4D9C9241528C3015315B.MAI SMTP MTAFILTER 1 SALES84@raptureforums.com 208.70.88.1
09/19/16 10:25:36 Cleaned 9027502A1788474A8A7C32DC9A91B706.MAI SMTP MTAFILTER 1 SALES850@uselessfacts.net 208.70.88.1
09/19/16 10:27:14 Cleaned 95EE3B76646641EE8E15C474FBCD2C60.MAI SMTP MTAFILTER 1 SALES33@nietubicz.com 208.70.88.1
09/19/16 10:28:05 Cleaned 7CACC925043945B886971940A7E41F1D.MAI SMTP MTAFILTER 1 SALES569@ankaratb.org.tr 208.70.88.1
09/19/16 10:30:27 Cleaned 337D75E908C34B06B7998B4C5E15326C.MAI SMTP MTAFILTER 1 SALES54@wikileakssupportersforum.com 208.70.88.1
09/19/16 10:30:30 Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\FRISK Software\F-PROT Antivirus for Windows\fpscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\F3F9F7~1.MAI\2.ATT" /report /archive=5) took too long and was terminated
09/19/16 10:31:34 Cleaned 2B8D3A261104453482DCD369E8FA329B.MAI SF MTAFILTER 1 SALES2@anthonyneff.com 208.70.88.1
09/19/16 10:32:05 Cleaned 6E5047948C0D48FDA22C5CDB83240933.MAI SMTP MTAFILTER 1 SALES06@gbiru.ru 208.70.88.1
09/19/16 10:37:26 Cleaned 37C8EB174E7542F2B86DCEBD955A70A5.MAI SMTP MTAFILTER 1 SALES24@orbiswireless.com 208.70.88.1
09/19/16 10:39:44 Cleaned 6D603A8F851C4B29814C91C22777D6A1.MAI SMTP MTAFILTER 1 SALES846@yokotranslation.com 208.70.88.1
09/19/16 10:42:52 Cleaned 70B34396866D42EAA5B0F4EF330930EF.MAI SMTP MTAFILTER 1 SALES493@bebesilaw.hu 208.70.88.1
09/19/16 10:49:15 Cleaned D1056AC18D274576808B3FB43B0933EB.MAI SF MTAFILTER 1 SALES18@bicicletaria.com.br 208.70.88.1
09/19/16 10:49:15 Cleaned 897E767DDA234316B720954CF089F1AB.MAI SMTP MTAFILTER 1 SALES43@venanpecas.com.br 208.70.88.1
09/19/16 10:51:37 Cleaned 62E004EEA3824A17AD4A0D1C35B6AB99.MAI SMTP MTAFILTER 1 SALES595@ttatva.com 208.70.88.1
09/19/16 10:52:21 Cleaned B0CB9F7CBCBE434F8DDF5A5B7D86F39E.MAI SMTP MTAFILTER 1 SALES29@twguaimbe.org 208.70.88.1
09/19/16 10:52:25 Cleaned 753FF35CA2E44862B8A9B6B8643F754F.MAI SMTP MTAFILTER 1 SALES02@sdbua.net 208.70.88.1
09/19/16 10:54:19 Cleaned 63155BFF313448EBAF730EDA281E726A.MAI SMTP MTAFILTER 1 SALES9@venuespn.co.nz 208.70.88.1
09/19/16 10:56:22 Cleaned 913D52573A894AEC8EEAB47A977F10C8.MAI SMTP MTAFILTER 1 SALES795@esssys.com 208.70.88.1
09/19/16 11:02:59 Cleaned FD06D0B2DDA742B1BC5C011C3884FF29.MAI SMTP MTAFILTER 1 SALES72@thepropertyguru.co.za 208.70.88.1
09/19/16 11:04:09 Cleaned 79843E325483420EAE5F3A7E73815E54.MAI SMTP MTAFILTER 1 SALES1@anmlangls.org 208.70.88.1
09/19/16 11:07:07 Cleaned 30ACFE6282414504B2B31B4D34783AFF.MAI SMTP MTAFILTER 1 SALES102@nzdesigns.biz 208.70.88.1
09/19/16 11:07:24 Cleaned ABACDFCB8A18474C878C8638A039CBEE.MAI SMTP MTAFILTER 1 pacificcoastmarketing.org SALES7@placorinc.com 208.70.88.1
09/19/16 11:10:55 Cleaned FFA438B8D44C420689DF64AE94B79BE0.MAI SF MTAFILTER 1 SALES04@fostersplace.com 208.70.88.1
09/19/16 11:12:03 Cleaned F44AAD15979E45908B8626A3323A67E4.MAI SMTP MTAFILTER 1 SALES3@optimalclix.com 208.70.88.1
09/19/16 11:13:09 Cleaned 6CF71AFCA6994D31B420DD329B2441B8.MAI SMTP MTAFILTER 1 SALES3@ectb-ingenierie.fr 208.70.88.1
09/19/16 11:22:07 Cleaned 7671CF1466C34832BA4929AFE2495933.MAI SMTP MTAFILTER 1 SALES4@zekiler.com 208.70.88.1
09/19/16 11:24:16 Cleaned 9EF481A8AEB549B3B62D220DF28C6369.MAI SF MTAFILTER 1 SALES341@archeologica.ch 208.70.88.1
09/19/16 11:27:32 Cleaned 03FC542E98D649C791CC424FED4FBBFD.MAI SMTP MTAFILTER 1 SALES99@autopiramide.pt 208.70.88.1
09/19/16 11:29:14 Cleaned 9A308E9690024239A0D51AA6A44B4EC5.MAI SMTP MTAFILTER 1 SALES632@robertsyasoc.com 208.70.88.1
09/19/16 11:30:33 Cleaned 69B2CEFE3C1648FE888300A347DA1DAC.MAI SMTP MTAFILTER 1 SALES613@wohlenberg.ru 208.70.88.1
09/19/16 11:30:59 Cleaned 9EE16204C81242B48949FDF68C3865C2.MAI SMTP MTAFILTER 1 SALES91@arkana.ru 208.70.88.1
09/19/16 11:31:36 Cleaned CE31D0E2590343FA84F0F91F1B643386.MAI SMTP MTAFILTER 1 SALES471@bestintactics.com 208.70.88.1
09/19/16 11:38:54 Cleaned 811659BD3D834ED2BEEF6047C262986D.MAI SMTP MTAFILTER 1 SALES89@nnacijc.org 94.186.192.206
09/19/16 11:39:09 Cleaned 74ABB6CF9F1443D28E2E67E3E49E084E.MAI SMTP MTAFILTER 1 SALES8@virtualpages.com 208.70.88.1
09/19/16 11:41:52 Cleaned BEB5A9997DA14145B299CC879DDE6841.MAI SMTP MTAFILTER 1 SALES5@woonhuisstyliste.nl 208.70.88.1
09/19/16 11:42:51 Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\FRISK Software\F-PROT Antivirus for Windows\fpscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\1D574A~1.MAI\1.ATT" /report /archive=5) took too long and was terminated
09/19/16 11:47:51 Cleaned 4F0C5F056E764F2CABE0D8AF4CC2E67D.MAI SF MTAFILTER 1 SALES61@ates-insaat.com 208.70.88.1
09/19/16 11:49:28 Cleaned 1C85660CC7B849A8912DEAF8A5159BEC.MAI SMTP MTAFILTER 1 SALES6@gdp.net.vn 208.70.88.1
09/19/16 11:50:53 Cleaned F16824B54C4A4AA285D41BAB21022AAD.MAI SMTP MTAFILTER 1 SALES13@rasterkonsulten.se 208.70.88.1
09/19/16 11:53:28 Cleaned 5762E0AA3CC14F479A0291813A9E8D40.MAI SMTP MTAFILTER 1 SALES9@bmacsolar.com 208.70.88.1
09/19/16 11:55:00 Cleaned 8DE215891B0749FCAD50A2B25A451525.MAI SF MTAFILTER 1 SALES4@wega-astro.be 94.186.192.205
09/19/16 11:58:23 Cleaned ACB4AB98A6CE482BB13F838B8B4FCD2E.MAI SMTP MTAFILTER 1 SALES261@bsservicios.com 208.70.88.1
09/19/16 11:58:47 Cleaned D6A4C06685684ADEAF4C6C93487BFFFF.MAI SMTP MTAFILTER 1 SALES1@taxivan.mx 208.70.88.1
09/19/16 11:59:42 Cleaned 89F2E185F3EA4F659C3306FFC48BD808.MAI SMTP MTAFILTER 1 SALES4@hasten.com.br 208.70.88.1
09/19/16 12:00:01 Cleaned 1103AE10EDA34178A7DE0A72DBA2B466.MAI SMTP MTAFILTER 1 SALES3@taylorsyfan.com 208.70.88.1
09/19/16 12:03:56 Cleaned 350D52E437434D10B0D40427B01E6F85.MAI SMTP MTAFILTER 1 SALES26@smithsshoecenter.com 208.70.88.1
09/19/16 12:04:32 Cleaned F81334158D37411DB3B23760AD1BCE67.MAI SF MTAFILTER 1 SALES0@philippinetours.com.au 208.70.88.1
Code: Select all
09/20/16 08:59:04 Start - - - - - - -
09/20/16 08:59:04 Cleaned A2C7733FAD11473F89E39BD52D970ABD.MAI SMTP MTAFILTER 1 POSTMASTER@myvfmail.com 208.70.91.142
09/20/16 10:10:25 Cleaned 65397EC75CB8429D9EB80D5315A221AF.MAI SMTP MTAFILTER 1 POSTMASTER@myvfmail.com 208.70.88.1
09/21/16 09:39:50 End - - - - - - -
Today message filter logs simply aren't showing the Mailenable VIRUS Filter Rule being executed at all. I go to the MTAFILTER-report from a few days ago and it was firing pretty regularly, I could see it being applied to messages.
Today's MEAVGEN report shows
Code: Select all
09/23/16 16:24:46 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\00408FDD98764BE2B63DAD284DEE2B58.MAI (Error: 5)
09/23/16 16:24:52 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\1.ATT (Error: 5)
09/23/16 16:24:58 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\2.ATT (Error: 5)
09/23/16 16:25:04 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\3.ATT (Error: 5)
09/23/16 16:25:04 ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI (Error: 2)
Code: Select all
F-PROT Antivirus CLS version 6.7.5.5955, 32bit (built: 2011-10-03T19-58-16)
FRISK Software International (C) Copyright 1989-2011
Engine version: 4.6.5.141
Arguments: C:\PROGRA~2\MAILEN~1\Scratch\EICAR.ZIP /report /archive=5
Virus signatures: 201609231936
(C:\ProgramData\FRISK Software\F-PROT Antivirus for Windows\antivir.def)
[Error] <Can not open file: No such file or directory> C:\PROGRA~2\MAILEN~1\Scratch\EICAR.ZIP
Results:
Files: 1
Skipped files: 1
MBR/boot sectors checked: 0
Objects scanned: 0
Infected objects: 0
Infected files: 0
Files with errors: 0
Disinfected: 0
Running time: 00:01
Code: Select all
09/23/16 16:33:57 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\83A782E23A2E44A3B9661CA2EDBB41B0.MAI\83A782E23A2E44A3B9661CA2EDBB41B0.MAI (Error: 5)
09/23/16 16:33:57 ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\83A782E23A2E44A3B9661CA2EDBB41B0.MAI (Error: 2)
09/23/16 16:36:03 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\F5B572001B0E43029BB33D6F44FF06D0.MAI\F5B572001B0E43029BB33D6F44FF06D0.MAI (Error: 5)
09/23/16 16:36:03 ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\F5B572001B0E43029BB33D6F44FF06D0.MAI (Error: 2)
09/23/16 16:43:22 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\91315568D2A940B2BAC9BC416EBE8B5D.MAI\91315568D2A940B2BAC9BC416EBE8B5D.MAI (Error: 5)
09/23/16 16:43:22 ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\91315568D2A940B2BAC9BC416EBE8B5D.MAI (Error: 2)
So your probably thinking, "Ok well we need to eliminate 3rd party pickup events." We have 7 Mailenable filters, the first using mailenable to specify certain headers to not be filtered. the second is using criteria script to stop filtering on certain domains, the third using criteria script to stop filtering on certain mailboxes, the fourth takes attachments we don't allow, copies message quarantine and deletes, the 5th is the Virus Rule that copies message to quarantine and deletes, the 6th is a rule that says if a message is larger than 712000 stop processing filters, and the 7th is rule that checks against spam assassin, then copies to quarantine and deletes. I have tried disabling these all except for the virus rule to no avail.
I would appreciate any input anyone can give on these issues
Thank You,
Keith Damron
VisionFriendly.com
Keith Damron
Manager of Customer Support
VisionFriendly.com
1250 E. Diehl Road, Suite 302
Naperville, IL 60563
630 553-0000 x112
Keith@visionfriendly.com
Manager of Customer Support
VisionFriendly.com
1250 E. Diehl Road, Suite 302
Naperville, IL 60563
630 553-0000 x112
Keith@visionfriendly.com