3.17 & F-Prot 6.0

Junior Member
Posts: 7
Joined: Wed Jun 25, 2008 5:30 pm

3.17 & F-Prot 6.0

Postby cbdreinulldrei » Sun Nov 04, 2012 12:14 pm

Hi Alex,

I am using eWall 3.0 (3.0.217 of course... missed the 2 in the thread title) for ages now. I have a server migration planned for next year, but I'd like to continue running as is till then.

I noticed that eWall has stopped catching viruses. When testing the command line, all is fine. F-Prot detects the EICAR file. I noticed that eWall says it successfuly tested F-Prot, but AV version and DB version are both listed as unknown.

I noticed the antivirus presets contain information about RegEx patterns. Is there anything that would need adjusting?

This is how a successful report looks today:

F-PROT Antivirus CLS version 6.7.5.5955, 32bit (built: 2011-10-03T19-58-16)


FRISK Software International (C) Copyright 1989-2011
Engine version: 4.6.5.141
Arguments: eicar_test2
Virus signatures: 201211040902
(C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\antivir.def)

[Found virus] <EICAR_Test_File (exact, not disinfectable)> D:\eicar_test2->eicar.com


Results:

Files: 1
Skipped files: 0
MBR/boot sectors checked: 0
Objects scanned: 5
Infected objects: 1
Infected files: 1
Files with errors: 0
Disinfected: 0

Running time: 00:01



And this is the RegEx definitions:

[Config]
Name=F-Prot Antivirus for Windows
Display=F-Prot Antivirus for Windows v6.xx
Type=0
Cmd=C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe <file>

[Version]
1Antivirus version\s([^\r\n]+)

[DBVersion]
1Virus signatures: ([\d]+)

[VirusName]
1\[Found\s\w+\] <([^\r\n>]+)\s\(

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Postby Alexander Telegin » Sun Nov 04, 2012 4:23 pm

Hello Christian,

Please add new line into [Config] section, after Cmd:

Code: Select all
Reports=C:\Reports


then re-start eWall. Run AV test again and check C:\Reports directory for report file. It will contain the output of antivirus scanner. Please post the content of this file and I'll try to adjust RegEx patterns.

Junior Member
Posts: 7
Joined: Wed Jun 25, 2008 5:30 pm

Postby cbdreinulldrei » Sun Nov 04, 2012 4:53 pm

Hi,

I changed the Options.ini as suggested, but neither testing AV via options, nor receiving an Eicar test file does result in a report being generated.

This is the snippet from my ini file:

[Cmd]
FProt3=C:\PROGRA~1\FSI\F-PROT\FPCMD.EXE <file> /ARCHIVE /PACKED /NOMEM /NOBOOT /NOBREAK /NOSUB /SILENT /REPORT=<report>
FProt6=C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe <file>
[Config]
Reports=C:\Reports


Any suggestions?

EDIT: I tested the command line switch "--output" which can redirect output, so I changed the command line to

FProt6=C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe <file> --output=<report>

Still does not do anything useful...

Junior Member
Posts: 7
Joined: Wed Jun 25, 2008 5:30 pm

Postby cbdreinulldrei » Sun Nov 04, 2012 5:11 pm

Howdy,

thanks to a good friend, this new expression does it:

\[Found\s\w+\] <([^\r\n>]+)>


;)

Junior Member
Posts: 7
Joined: Wed Jun 25, 2008 5:30 pm

Postby cbdreinulldrei » Sun Nov 04, 2012 6:47 pm

So this is my complete Config for F-Prot 6.0 as of today:

[Config]
Name=F-Prot Antivirus for Windows
Display=F-Prot Antivirus for Windows v6.xx
Type=0
Cmd=C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe <file>

[Version]
1Antivirus CLS version\s([^\r\n]+)

[DBVersion]
1Virus signatures: ([\d]+)

[VirusName]
1\[Found\s\w+\] <(.+?)>

Junior Member
Posts: 3
Joined: Thu Feb 14, 2013 10:55 am

Re: 3.17 & F-Prot 6.0

Postby msitgroup » Mon Aug 05, 2013 7:48 pm

Hi there

I'm also having problems with F-Prot v6.00 and eWall v3.0.217 catching viruses.

I have changed the config file for F-Prot as follows:

[Config]
Name=F-Prot Antivirus for Windows
Display=F-Prot Antivirus for Windows v6.xx
Type=0
Cmd=C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe <file>

[Version]
1Antivirus CLS version\s([^\r\n]+)

[DBVersion]
1Virus signatures: ([\d]+)

[VirusName]
1\[Found\s\w+\] <(.+?)>

This still hasn't fixed my issue. When testing the configuration within eWall by clicking the "Test Antivirus Software", I also still receive [Unknown] next to the AV and DB versions even though it states "The antivirus has been successfully tested".

The rule I have under eWall is

Under Default/On Message (and the first rule)

If message has an attachment
-> and message is infected
then set reply 554 5.7.1 Email rejected due to infection of virus "{X-Virus-Name}". Connection terminated
and disconnect
and delete message
and stop all filters

Could anyone please offer me any help? :(

Many many thanks for any help!

Regards

Mark

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: 3.17 & F-Prot 6.0

Postby Alexander Telegin » Thu Aug 08, 2013 10:37 am

It seems like something changed in F-Prot response and eWall can't parse the result. Please try to test command-line scanner with EICAR virus (or any other virus) and post the output here: I'll help to adjust the catching rule.

Junior Member
Posts: 3
Joined: Thu Feb 14, 2013 10:55 am

Re: 3.17 & F-Prot 6.0

Postby msitgroup » Fri Aug 09, 2013 5:20 pm

Hi Alex (and the forum members)

After hours of playing around with the parameters of fpscan, it appears you have to specify the following for F-Prot to work:

C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe <file> --nospin -r

The parameter -r asks F-Prot to only REPORT the virus rather than giving the option to Disinfect/Quarantine.

This appears to be a new behaviour whereas before it only reported it was infected. This alone doesn't fix it although you would think it would!

It's the --nospin option. F-Prot seem to have added a stupid spinning square animation effect whilst scanning which obviously upsets the regex scanning. By specifying the --nospin option, eWall now successfully scans files and displays the Engine & database version when clicking the "Test Antivirus button"

The following is a copy of my fprot6 conf file for anyone else who may be (marginally) interested :)

----------------------------------------------------------------------------------------------------------------------------------------------

[Config]
Name=F-Prot Antivirus for Windows
Display=F-Prot Antivirus for Windows v6.xx
Type=0
Cmd=C:\PROGRA~1\FRISKS~1\F-PROT~1\fpscan.exe <file> --nospin -r

[Version]
1Antivirus CLS version\s([^\r\n]+)

[DBVersion]
1Virus signatures: ([\d]+)

[VirusName]
1\[Found\s\w+\] <(.+?)>

----------------------------------------------------------------------------------------------------------------------------------------------

Regards

Mark

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: 3.17 & F-Prot 6.0

Postby Alexander Telegin » Fri Aug 09, 2013 6:18 pm

Thanks for letting know, Mark.

Return to General

Who is online

Users browsing this forum: No registered users and 1 guest