f-prot logging

Discussion, support and announcements for third party applications that work with MailEnable.
Post Reply
foks

f-prot logging

Post by foks » Sun Feb 01, 2004 9:51 pm

I have just installed F-Prot Windows Trial version to my mail server (Mail Enable Professional). It works fine, removes all viruses but I would like F-Prot to make log files when it finds a virus. In Antivirus Parameters I have ""[AGENT]" "[FILENAME]" /ARCHIVE /NOBOOT /NOMEM /APPEND /REPORT=LOG.TXT" but F-Prot doesn't add anything to log.txt. I have restarted the MTA.

When I run fpcmd in dos prompt it works fine (i.e. fpcmd virus.scr /ARCHIVE /NOBOOT /NOMEM /APPEND /REPORT=LOG.TXT) the log file is updated.

So, why doesn't it work when Mail Enable runs F-Prot?

Kiliman
Posts: 279
Joined: Mon Feb 03, 2003 2:44 pm
Location: Chesapeake, VA

Post by Kiliman » Mon Feb 02, 2004 3:40 am

Try specifying the complete path to the log file.

/REPORT=C:\MyLogs\Log.txt

Kiliman

foks

Post by foks » Mon Feb 02, 2004 11:34 am

Thanks! That seems to work. :D

/foks

jammin
Posts: 30
Joined: Sun Jun 29, 2003 8:06 am

Post by jammin » Tue Feb 03, 2004 6:23 am

Although you'll notice that file is very verbose and is written to whether a virus is found or not!

Anyone got any ideas on how to get any decent reports out ? I'd love to know how many of different types of viruses were removed... which users got hit the most etc ...

Kiliman
Posts: 279
Joined: Mon Feb 03, 2003 2:44 pm
Location: Chesapeake, VA

Post by Kiliman » Tue Feb 03, 2004 11:54 am

See my post "Improved Virus Notification"
http://forum.mailenable.com/viewtopic.php?t=3605

Since you're not using McAfee, I may be able to help you modify the script for your particular scan engine.

Just send me the command line arguments and sample log files.

Here is the log file my script generates (tab delimited):
01/29/04 17:18:37 48904882203A....MAI [SMTP:postmaster@pegasus.cc.ucf.edu] [SMTP:dave@the-nuthouse.com] Found the W32/Mydoom.a@MM virus !!!
01/29/04 17:18:57 48904882203A....MAI [SMTP:postmaster@pegasus.cc.ucf.edu] [SMTP:dave@the-nuthouse.com] Found the W32/Mydoom.a@MM virus !!!
01/29/04 17:23:08 DC564D939659C...MAI [SMTP:michael@volcanictech.com] [SMTP:postmaster@carterville.com]
01/29/04 17:26:43 8BAB96914EAA4...MAI [SMTP:mjbecker@viafamily.net] [SMTP:michael@volcanictech.com] Found the W32/Swen@MM virus !!!
01/29/04 17:34:00 1765AF391B00....MAI [SMTP:mjbecker@viafamily.net] [SMTP:michael@volcanictech.com] Found the W32/Swen@MM virus !!!
01/29/04 18:01:33 48904882203A....MAI [SMTP:postmaster@pegasus.cc.ucf.edu] [SMTP:dave@the-nuthouse.com] Found the W32/Mydoom.a@MM virus !!!
01/29/04 18:02:47 86C736E5AC7E6...MAI [SMTP:michael@volcanictech.com] [SMTP:postmaster@carterville.com] Found: EICAR test file NOT a virus.
01/29/04 20:47:20 24A883431A6ED...MAI [SMTP:dnorris@cab.latech.edu] [SMTP:michael@volcanictech.com] Found the W32/Mydoom.a@MM virus !!!
01/29/04 20:47:27 45BD96379750C...MAI [SMTP:qypqu@aol.com] [SMTP:dave@volcanictech.com] Found the W32/Mydoom.a@MM virus !!!
01/29/04 21:22:21 7460F6B782C7....MAI [SMTP:chuangsmy.bc@mol.net.my] [SMTP:michael@volcanictech.com] Found the W32/Swen@MM virus !!!
01/29/04 21:26:17 4FA77A12A9991...MAI [SMTP:chuangsmy.bc@mol.net.my] [SMTP:michael@volcanictech.com] Found the W32/Swen@MM virus !!!
01/29/04 21:29:57 C9F119856ACE0...MAI [SMTP:wward63@earthlink.net] [SMTP:michael@volcanictech.com] Found the W32/Swen@MM virus !!!
01/29/04 21:34:17 CC5B583FB144....MAI [SMTP:wward63@earthlink.net] [SMTP:michael@volcanictech.com] Found the W32/Swen@MM virus !!!
01/29/04 22:25:38 84D9BCE63548....MAI [SMTP:girishn@nagpur.dot.net.in] [SMTP:fred@volcanictech.com] Found the W32/Mydoom.a@MM virus !!!
01/29/04 22:58:20 683F4A4460D37...MAI [SMTP:zip-bugs@lists.wku.edu] [SMTP:leo@volcanictech.com] Found the W32/Mydoom.a@MM virus !!!
01/29/04 23:51:12 6354B70B80B79...MAI [SMTP:michael@volcanictech.com] [SMTP:leo@volcanictech.com] Found the W32/Mydoom.a@MM virus !!!
Kiliman

paarlberg

Post by paarlberg » Tue Mar 02, 2004 7:39 am

I am just trying to make sure that I am reading the log file correctly. Below is my output..

*************************
F-PROT ANTIVIRUS
Program version: 3.13
Engine version: 3.13.1

VIRUS SIGNATURE FILES
SIGN.DEF created 1 March 2004
SIGN2.DEF created 1 March 2004
MACRO.DEF created 1 March 2004

Search: C:\PROGRA~1\MAILEN~1\Scratch\1A7CEF~1.MAI\2.ATT
Action: Report only
Files: Attempt to identify files
Switches: /ARCHIVE /REPORT=c:\avlogs\fprot.txt /APPEND /NOBOOT /NOMEM
Memory was not scanned.
Hard disk boot sectors were not scanned.


Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1

Time: 0:00

No viruses or suspicious files/boot sectors were found.
************************

Notice the "Action: Report only". Does this mean that it is only reporting the virus, and not actualling cleaning?

Slicer101
Posts: 95
Joined: Fri Jun 27, 2003 9:26 pm
Location: Houston, TX

Post by Slicer101 » Tue Mar 02, 2004 7:30 pm

Try this.

ME020085: Testing MailEnable Anti-virus

When you first set up an AV solution, it can be helpful to follow the steps below to make sure it is working correctly:

1) Stop the MTA service
2) Configure the AV options
3) Open a command prompt, navigate to the Mail Enable\bin directory, and enter the following command:

MEMTA -debug

This will run the MTA service in debug mode and will let you see what is happening (i.e. whether the emails are being scanned).

4) Download and send the test virus from http://www.eicar.org. This is a test file that virus checkers pick up, and ideal to test with. You should see the virus checker write output to the screen when the email goes through.
5) To stop the MEMTA service, press Control-C on your keyboard. You can then start the MTA service through the Admin program normally.


See what kind of results you get in your log file when the the test file is sent and verify that it is cleaned/deleted per your settings. also be sure that you have the updated registry settings in place.

ME020130: F-Prot does not remove viruses inside ZIP files

Frisk recently changed the way their software behaves when viruses are detected.

A registry import file is available to update MailEnable's Antivirus wrapper so that it can correctly interpret the recently changed Frisk Response codes.

You can install this patch by downloading the F-Prot Return Code Registry Update Patch

Good Luck,

Slicer

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg » Tue Mar 02, 2004 8:02 pm

I had sent the EICAR test file and it was blocked. I can do without the F-prot logging for now. The format shows all scanned items and not just the infected mails. With over 2000 e-mails in the past 36 hours, I can imagine that the log file could grow quite large.

BTW: I have configured both Grisoft AVG and F-Prot on the server and changed the notification that is sent to the recipient.

<<- Attachment was removed by F-Prot, because it appears to contain a virus ->>

and

<<- Attachment was removed by Grisoft AVG, because it appears to contain a virus ->>

This seems to help a lot in my protection. I can find out which scanning engine is doing the job and if any actually get past F-Prot.

Post Reply