F-Prot Issues

Webthinking
Posts: 3
Joined: Sun Jan 29, 2012 10:26 pm

F-Prot Issues

Postby Webthinking » Fri Jul 15, 2016 3:16 am

Hi,

We're having trouble with our F-Prot integration in Mail Enable 8.61 in that sometimes it works and sometimes it doesn't. It's not working at the moment and this means it won't catch any viruses, other than the test Eicar one. The exact same configuration was working until about 5pm, yesterday, after which no more viruses have been caught. F-Prot's resident shield is turned off, so there's no conflict there.

As part of my lengthy investigations into this ongoing issue, I ran the MTA in debug mode and read through some of the output. Whilst F-Prot seems to scan clean attachments, when a known virus comes along (I can tell by the name of the attachment), the scan doesn't seem to be initiated. In the debug output, Mail Enable logs "Skipping encoded attachment" in the place where the scan activity should be. What does this mean? I can see it's been mentioned on a handful of occasions in the past, but there are no definitive answers. Why is Mail Enable seemingly not firing up F-Prot for these attachments?

Thanks

Mark

keith@vfsremote.com
Posts: 25
Joined: Fri Mar 20, 2015 7:53 pm

Re: F-Prot Issues

Postby keith@vfsremote.com » Fri Sep 23, 2016 10:31 pm

Thank God someone else is having issues with F-Prot on the same version of MailEnable as me.

Today i logged onto one of my Mail Vms in our cluster and noticed an unexpected shutdown notice. After digging through the event logs it looks as though F-Prot started consuming way too many resources due to an attachment Filering Rule in MailEnable suddenly choosing not to fire and getting several viral messages per second. Filters choosing not to work sporadically has been a consistent headache I have had with MailEnable for the past 2 years. It never truly gets resolved, I usually turn services on and off disable filters and re-enable and randomly it will work again with exactly the same settings as before.

I'm not sure which came first, but it would appear as though MailEnable and F-Prot are no longer working together nicely in my environment. I see gaps in my MEAVGEN logs over the past week on both of my clustered Mail Nodes example below

Code: Select all

Time   Action   MessageID   Connector   Filter   Result   Account   Sender   ClientIP
09/17/16 09:54:27   Start   -   -   -   -   -   -   -
09/17/16 09:54:27   Cleaned   DBF321BAAE164DECBAFDBA54F775B2F9.MAI   SMTP   MTAFILTER   1      94.186.192.205
09/19/16 07:39:02   End   -   -   -   -   -   -   -


Then on the 19th I see it working perfectly again

Code: Select all

09/19/16 07:39:02   Cleaned   720776B1507B4007B831B298EC9CB1BE.MAI   SMTP   MTAFILTER   1      208.70.91.23
09/19/16 08:39:19   Cleaned   D8B0CF08AC304C7ABD6F9BF39E0FAF51.MAI   SMTP   MTAFILTER   1   paypal@secure.net   94.186.192.206
09/19/16 09:48:45   Cleaned   3DD69F31C2014A55947157614D79A424.MAI   SF   MTAFILTER   1      SALES9@arrowstravel.com   208.70.88.1
09/19/16 09:48:59   Cleaned   2E311437B80E40FC9F80401468572D93.MAI   SF   MTAFILTER   1      SALES09@jordantours-france.com   208.70.88.1
09/19/16 09:49:07   Cleaned   8E3C29E327D64676B824F40379DD4AAE.MAI   SF   MTAFILTER   1   SALES9@cadelectric.ro   208.70.88.1
09/19/16 09:49:11   Cleaned   123C7B796E0147C2867EF4D09F60DDDA.MAI   SMTP   MTAFILTER   1      94.186.192.203
09/19/16 09:49:26   Cleaned   5BCC16C6A8C04D039E4253C64F9006A0.MAI   SMTP   MTAFILTER   1      SALES398@turnthepagebooks.com   208.70.88.1
09/19/16 09:50:00   Cleaned   E457685A45F0470FB633505831F781C2.MAI   SMTP   MTAFILTER   1      SALES794@veahome.com   208.70.88.1
09/19/16 09:51:58   Cleaned   8D3F81A7EC5840B6A6F9128D03EF5D82.MAI   SMTP   MTAFILTER   1      SALES8@lttcorp.com   208.70.88.1
09/19/16 09:55:01   Cleaned   5828F58390DB4653A275335CC9EBB22B.MAI   SMTP   MTAFILTER   1      SALES1@beatdiz.com.br   94.186.192.200
09/19/16 09:55:57   Cleaned   4BFFC9A751204B728ED4639EC557F3D8.MAI   SMTP   MTAFILTER   1   SALES713@johnmacconnell.com   208.70.88.1
09/19/16 09:59:59   Cleaned   E8F8F6A31A74463682B494E47CC3ACF7.MAI   SMTP   MTAFILTER   1      SALES33@fwr.it   208.70.88.1
09/19/16 10:02:25   Cleaned   599D5ADA12E347D796EDA6318BF3E643.MAI   SMTP   MTAFILTER   1   SALES0@tonitelife.com   208.70.88.1
09/19/16 10:06:05   Cleaned   3113438439484D2E872D67249B71DE8D.MAI   SMTP   MTAFILTER   1   SALES20@gsavary.net   208.70.88.1
09/19/16 10:12:42   Cleaned   FCE1812022834D998C44F0F682A674E4.MAI   SMTP   MTAFILTER   1      SALES73@tnma.co.za   208.70.88.1
09/19/16 10:19:06   Cleaned   4BE672F4D937429584A26C91500328AA.MAI   SMTP   MTAFILTER   1   SALES68@gracelutherville.org   208.70.88.1
09/19/16 10:19:09   Cleaned   0C77C17433B04EBFA99CC600C36C5C1D.MAI   SMTP   MTAFILTER   1      SALES62@parthe.com   94.186.192.205
09/19/16 10:19:50   Cleaned   0CF862A388EF4251BF85582494B87054.MAI   SMTP   MTAFILTER   1      SALES0@martinemail.us   208.70.88.1
09/19/16 10:25:34   Cleaned   A442E9468B7A4D9C9241528C3015315B.MAI   SMTP   MTAFILTER   1      SALES84@raptureforums.com   208.70.88.1
09/19/16 10:25:36   Cleaned   9027502A1788474A8A7C32DC9A91B706.MAI   SMTP   MTAFILTER   1      SALES850@uselessfacts.net   208.70.88.1
09/19/16 10:27:14   Cleaned   95EE3B76646641EE8E15C474FBCD2C60.MAI   SMTP   MTAFILTER   1      SALES33@nietubicz.com   208.70.88.1
09/19/16 10:28:05   Cleaned   7CACC925043945B886971940A7E41F1D.MAI   SMTP   MTAFILTER   1   SALES569@ankaratb.org.tr   208.70.88.1
09/19/16 10:30:27   Cleaned   337D75E908C34B06B7998B4C5E15326C.MAI   SMTP   MTAFILTER   1   SALES54@wikileakssupportersforum.com   208.70.88.1
09/19/16 10:30:30   Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\FRISK Software\F-PROT Antivirus for Windows\fpscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\F3F9F7~1.MAI\2.ATT" /report /archive=5) took too long and was terminated
09/19/16 10:31:34   Cleaned   2B8D3A261104453482DCD369E8FA329B.MAI   SF   MTAFILTER   1      SALES2@anthonyneff.com   208.70.88.1
09/19/16 10:32:05   Cleaned   6E5047948C0D48FDA22C5CDB83240933.MAI   SMTP   MTAFILTER   1      SALES06@gbiru.ru   208.70.88.1
09/19/16 10:37:26   Cleaned   37C8EB174E7542F2B86DCEBD955A70A5.MAI   SMTP   MTAFILTER   1      SALES24@orbiswireless.com   208.70.88.1
09/19/16 10:39:44   Cleaned   6D603A8F851C4B29814C91C22777D6A1.MAI   SMTP   MTAFILTER   1      SALES846@yokotranslation.com   208.70.88.1
09/19/16 10:42:52   Cleaned   70B34396866D42EAA5B0F4EF330930EF.MAI   SMTP   MTAFILTER   1      SALES493@bebesilaw.hu   208.70.88.1
09/19/16 10:49:15   Cleaned   D1056AC18D274576808B3FB43B0933EB.MAI   SF   MTAFILTER   1      SALES18@bicicletaria.com.br   208.70.88.1
09/19/16 10:49:15   Cleaned   897E767DDA234316B720954CF089F1AB.MAI   SMTP   MTAFILTER   1      SALES43@venanpecas.com.br   208.70.88.1
09/19/16 10:51:37   Cleaned   62E004EEA3824A17AD4A0D1C35B6AB99.MAI   SMTP   MTAFILTER   1      SALES595@ttatva.com   208.70.88.1
09/19/16 10:52:21   Cleaned   B0CB9F7CBCBE434F8DDF5A5B7D86F39E.MAI   SMTP   MTAFILTER   1   SALES29@twguaimbe.org   208.70.88.1
09/19/16 10:52:25   Cleaned   753FF35CA2E44862B8A9B6B8643F754F.MAI   SMTP   MTAFILTER   1      SALES02@sdbua.net   208.70.88.1
09/19/16 10:54:19   Cleaned   63155BFF313448EBAF730EDA281E726A.MAI   SMTP   MTAFILTER   1      SALES9@venuespn.co.nz   208.70.88.1
09/19/16 10:56:22   Cleaned   913D52573A894AEC8EEAB47A977F10C8.MAI   SMTP   MTAFILTER   1   SALES795@esssys.com   208.70.88.1
09/19/16 11:02:59   Cleaned   FD06D0B2DDA742B1BC5C011C3884FF29.MAI   SMTP   MTAFILTER   1   SALES72@thepropertyguru.co.za   208.70.88.1
09/19/16 11:04:09   Cleaned   79843E325483420EAE5F3A7E73815E54.MAI   SMTP   MTAFILTER   1         SALES1@anmlangls.org   208.70.88.1
09/19/16 11:07:07   Cleaned   30ACFE6282414504B2B31B4D34783AFF.MAI   SMTP   MTAFILTER   1      SALES102@nzdesigns.biz   208.70.88.1
09/19/16 11:07:24   Cleaned   ABACDFCB8A18474C878C8638A039CBEE.MAI   SMTP   MTAFILTER   1   pacificcoastmarketing.org   SALES7@placorinc.com   208.70.88.1
09/19/16 11:10:55   Cleaned   FFA438B8D44C420689DF64AE94B79BE0.MAI   SF   MTAFILTER   1      SALES04@fostersplace.com   208.70.88.1
09/19/16 11:12:03   Cleaned   F44AAD15979E45908B8626A3323A67E4.MAI   SMTP   MTAFILTER   1      SALES3@optimalclix.com   208.70.88.1
09/19/16 11:13:09   Cleaned   6CF71AFCA6994D31B420DD329B2441B8.MAI   SMTP   MTAFILTER   1      SALES3@ectb-ingenierie.fr   208.70.88.1
09/19/16 11:22:07   Cleaned   7671CF1466C34832BA4929AFE2495933.MAI   SMTP   MTAFILTER   1      SALES4@zekiler.com   208.70.88.1
09/19/16 11:24:16   Cleaned   9EF481A8AEB549B3B62D220DF28C6369.MAI   SF   MTAFILTER   1      SALES341@archeologica.ch   208.70.88.1
09/19/16 11:27:32   Cleaned   03FC542E98D649C791CC424FED4FBBFD.MAI   SMTP   MTAFILTER   1      SALES99@autopiramide.pt   208.70.88.1
09/19/16 11:29:14   Cleaned   9A308E9690024239A0D51AA6A44B4EC5.MAI   SMTP   MTAFILTER   1      SALES632@robertsyasoc.com   208.70.88.1
09/19/16 11:30:33   Cleaned   69B2CEFE3C1648FE888300A347DA1DAC.MAI   SMTP   MTAFILTER   1      SALES613@wohlenberg.ru   208.70.88.1
09/19/16 11:30:59   Cleaned   9EE16204C81242B48949FDF68C3865C2.MAI   SMTP   MTAFILTER   1      SALES91@arkana.ru   208.70.88.1
09/19/16 11:31:36   Cleaned   CE31D0E2590343FA84F0F91F1B643386.MAI   SMTP   MTAFILTER   1      SALES471@bestintactics.com   208.70.88.1
09/19/16 11:38:54   Cleaned   811659BD3D834ED2BEEF6047C262986D.MAI   SMTP   MTAFILTER   1      SALES89@nnacijc.org   94.186.192.206
09/19/16 11:39:09   Cleaned   74ABB6CF9F1443D28E2E67E3E49E084E.MAI   SMTP   MTAFILTER   1      SALES8@virtualpages.com   208.70.88.1
09/19/16 11:41:52   Cleaned   BEB5A9997DA14145B299CC879DDE6841.MAI   SMTP   MTAFILTER   1      SALES5@woonhuisstyliste.nl   208.70.88.1
09/19/16 11:42:51   Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\FRISK Software\F-PROT Antivirus for Windows\fpscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\1D574A~1.MAI\1.ATT" /report /archive=5) took too long and was terminated
09/19/16 11:47:51   Cleaned   4F0C5F056E764F2CABE0D8AF4CC2E67D.MAI   SF   MTAFILTER   1      SALES61@ates-insaat.com   208.70.88.1
09/19/16 11:49:28   Cleaned   1C85660CC7B849A8912DEAF8A5159BEC.MAI   SMTP   MTAFILTER   1      SALES6@gdp.net.vn   208.70.88.1
09/19/16 11:50:53   Cleaned   F16824B54C4A4AA285D41BAB21022AAD.MAI   SMTP   MTAFILTER   1      SALES13@rasterkonsulten.se   208.70.88.1
09/19/16 11:53:28   Cleaned   5762E0AA3CC14F479A0291813A9E8D40.MAI   SMTP   MTAFILTER   1      SALES9@bmacsolar.com   208.70.88.1
09/19/16 11:55:00   Cleaned   8DE215891B0749FCAD50A2B25A451525.MAI   SF   MTAFILTER   1      SALES4@wega-astro.be   94.186.192.205
09/19/16 11:58:23   Cleaned   ACB4AB98A6CE482BB13F838B8B4FCD2E.MAI   SMTP   MTAFILTER   1      SALES261@bsservicios.com   208.70.88.1
09/19/16 11:58:47   Cleaned   D6A4C06685684ADEAF4C6C93487BFFFF.MAI   SMTP   MTAFILTER   1      SALES1@taxivan.mx   208.70.88.1
09/19/16 11:59:42   Cleaned   89F2E185F3EA4F659C3306FFC48BD808.MAI   SMTP   MTAFILTER   1      SALES4@hasten.com.br   208.70.88.1
09/19/16 12:00:01   Cleaned   1103AE10EDA34178A7DE0A72DBA2B466.MAI   SMTP   MTAFILTER   1      SALES3@taylorsyfan.com   208.70.88.1
09/19/16 12:03:56   Cleaned   350D52E437434D10B0D40427B01E6F85.MAI   SMTP   MTAFILTER   1   SALES26@smithsshoecenter.com   208.70.88.1
09/19/16 12:04:32   Cleaned   F81334158D37411DB3B23760AD1BCE67.MAI   SF   MTAFILTER   1      SALES0@philippinetours.com.au   208.70.88.1


Then on the 20th it stopped working again

Code: Select all

09/20/16 08:59:04   Start   -   -   -   -   -   -   -
09/20/16 08:59:04   Cleaned   A2C7733FAD11473F89E39BD52D970ABD.MAI   SMTP   MTAFILTER   1      POSTMASTER@myvfmail.com   208.70.91.142
09/20/16 10:10:25   Cleaned   65397EC75CB8429D9EB80D5315A221AF.MAI   SMTP   MTAFILTER   1      POSTMASTER@myvfmail.com   208.70.88.1
09/21/16 09:39:50   End   -   -   -   -   -   -   -



Today message filter logs simply aren't showing the Mailenable VIRUS Filter Rule being executed at all. I go to the MTAFILTER-report from a few days ago and it was firing pretty regularly, I could see it being applied to messages.

Today's MEAVGEN report shows


Code: Select all

09/23/16 16:24:46   ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\00408FDD98764BE2B63DAD284DEE2B58.MAI (Error: 5)
09/23/16 16:24:52   ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\1.ATT (Error: 5)
09/23/16 16:24:58   ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\2.ATT (Error: 5)
09/23/16 16:25:04   ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI\3.ATT (Error: 5)
09/23/16 16:25:04   ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\00408FDD98764BE2B63DAD284DEE2B58.MAI (Error: 2)


I go to Servers > localhost > Extensions > Message Filter > MailEnable Antivirus filter and it is enabled. I click into properties and F-Prot version 6 is enabled. I click test settings and it returns

Code: Select all

F-PROT Antivirus CLS version 6.7.5.5955, 32bit (built: 2011-10-03T19-58-16)


FRISK Software International (C) Copyright 1989-2011
Engine version:   4.6.5.141
Arguments:        C:\PROGRA~2\MAILEN~1\Scratch\EICAR.ZIP /report /archive=5
Virus signatures: 201609231936
                  (C:\ProgramData\FRISK Software\F-PROT Antivirus for Windows\antivir.def)

[Error] <Can not open file: No such file or directory>   C:\PROGRA~2\MAILEN~1\Scratch\EICAR.ZIP


Results:

Files: 1
Skipped files: 1
MBR/boot sectors checked: 0
Objects scanned: 0
Infected objects: 0
Infected files: 0
Files with errors: 0
Disinfected: 0

Running time: 00:01


At the same time F-Prot pops up with a notification with "DESCRIPTION File Not Found FILENAME EICAR.ZIP STATUS removed". So I come to the conclusion that real time scanning must be picking it up and FPROT is deleting it before mailenable can do anything. Ok, then lets add a folder exclusion to F-Prot, this shouldn't be a problem as I would assume this only excludes real-time scanning and not the individual calls for fpscan.exe. So I exclude the scratch folder then test. The test passes. I restart MailEnable Services and wait. The MTAFilterReport is still not showing the rule being executed on at all and I am still getting the below in the MEAVGEN report

Code: Select all

09/23/16 16:33:57   ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\83A782E23A2E44A3B9661CA2EDBB41B0.MAI\83A782E23A2E44A3B9661CA2EDBB41B0.MAI (Error: 5)
09/23/16 16:33:57   ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\83A782E23A2E44A3B9661CA2EDBB41B0.MAI (Error: 2)
09/23/16 16:36:03   ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\F5B572001B0E43029BB33D6F44FF06D0.MAI\F5B572001B0E43029BB33D6F44FF06D0.MAI (Error: 5)
09/23/16 16:36:03   ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\F5B572001B0E43029BB33D6F44FF06D0.MAI (Error: 2)
09/23/16 16:43:22   ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\91315568D2A940B2BAC9BC416EBE8B5D.MAI\91315568D2A940B2BAC9BC416EBE8B5D.MAI (Error: 5)
09/23/16 16:43:22   ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\91315568D2A940B2BAC9BC416EBE8B5D.MAI (Error: 2)


So I figure well maybe the exclusion is being applied to fpscan.exe, Mailenable is asking for a return code and isn't getting one or is getting a clean status due to the directory being excluded.... so I remove the exclusions and turn off real time protection completely. I go through the whole process of testing the MailEnable Antivirus filter properties and it passes. Now I restart and wait again. Still the same results. In fact, now the MEAVGEN report isn't even logging anymore, last update was over 40 minutes ago.

So your probably thinking, "Ok well we need to eliminate 3rd party pickup events." We have 7 Mailenable filters, the first using mailenable to specify certain headers to not be filtered. the second is using criteria script to stop filtering on certain domains, the third using criteria script to stop filtering on certain mailboxes, the fourth takes attachments we don't allow, copies message quarantine and deletes, the 5th is the Virus Rule that copies message to quarantine and deletes, the 6th is a rule that says if a message is larger than 712000 stop processing filters, and the 7th is rule that checks against spam assassin, then copies to quarantine and deletes. I have tried disabling these all except for the virus rule to no avail.

I would appreciate any input anyone can give on these issues

Thank You,

Keith Damron

VisionFriendly.com
Keith Damron
Manager of Customer Support

VisionFriendly.com
1245 E. Diehl Road, Suite 307
Naperville, IL 60563
630 553-0000 x112
Keith@visionfriendly.com

Who is online

Users browsing this forum: No registered users and 5 guests