Contents: ~~~~~~~~~ 0) Why should I upgrade my drwebd version? The old version works perfectly. 1) The è virus is not detected. Why? 2) I experience the following problem: if update.pl is launched from the command line everything is updated, and nothing gets updated if it is launched from the cron, though the logs show the cron completes its tasks without fault... 3) What is in the UpdatePath? 4) Version prior to 4.30. The log shows Jul 3 13:50:18 mail drweb-smf: dwlib: scan: message sent by is passed Jul 3 13:50:18 mail drweb-smf: [g639oGJI030655]: processing message from completed (exit code 3) What does (exit code 3) mean? 5) One of my clients (and only one!) experiences the following - mail is not sent no matter how many times he presses the "Wait" button in Outlook. The following is written to the maillog by sendmail: drweb-smf: message from is aborted Please explain if something goes wrong with sendmail or Dr.Web? 6) I have installed drweb with qmail. All works well, but the sender of a virus receives two messages: the one reads that there is a virus in the message, the other - that the message can not be delivered: Remote host said: 554 mail server permanently rejected message (#5.3.0) Can I somehow disable sending of such messages as users may think there is an error on the server.. 7) What do the question marks in drweb-smf.log mean? Nov 26 14:36:13 proba drweb-smf: [???]: ... 8) What do the Expires= and the SubscriptionExpires= fields in the key file (for example drwebd.key) mean? 9) Can I use virus bases of version 4.30 with version 4.31? 10) drweb.tmp.60gkxo/$ARCHIVE_NAME/$FILE_IN_ARCHIVE - compression ratio is too high (2770944 : 35154) ... Dr.Web scanning statistics: Evaluation key used ! Archive restriction : 21 ... What does it mean and what should I do in this situation? 11) I tried to bundle Dr.Web and Postfix. The mail does not go through at all. When I have checked the logs one line seemed suspicious Jul 17 12:55:01 mailhub sendmail[29437]: h6H9t0sh029437: Authentication-Warning: host.domain.tld: drweb set sender or: Apr 20 17:32:31 mailhub sendmail[33617]: h3KDWVlV033617: from=name@example.com, size=38592, class=0, nrcpts=1, msgid=, relay=drweb@localhost What can be the reason of the problem? 12) I have drweb-sendmail-4.30 installed. From time to time the following error message is displayed: Nov 9 22:55:49 mail drweb-smf: drweb_smf.c(667) - FATAL ERROR: cannot extract private data from context Please, explain! 13) When a message with a file attached is sent, the daemon checks all correctly, here goes an extract of the log: Nov 5 14:59:27 relay sendmail[22756]: hA5CxRIm022756: from=, size=15600, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=domain.tld [10.0.0.1] But, when the same message is sent and NAV scans all outgoing messages (the clinet from which I sent the message from) the following is reported: Nov 5 14:58:48 relay sendmail[22751]: hA5CwlIm022751:from=, size=0, class=0, nrcpts=1,proto=ESMTP, daemon=MTA, relay=domain.tld [10.0.0.2] Nov 5 14:58:48 relay drweb-smf: [hA5CwlIm022751]: message from foo@example.com is aborted s 14) I have drweb-4.29.5 installed. A strange thing happened: I received a mail with Gibe.2: Wed Nov 12 08:56:20 2003 [1459] /var/spool/filter/drweb.tmp.HM5dmX/[text:html] - Ok Wed Nov 12 08:56:20 2003 [1459] >>/var/spool/filter/drweb.tmp.HM5dmX/cgmgf.exe - Ok At the same time, the on-line check (http://online.drweb.com): ... cgmgf.exe packed by UPX >cgmgf.exe infected with Win32.HLLM.Gibe.2 15) I have Dr.Web daemon + Dr.Web for CGP installed; the headings filtering is enabled (RuleFilter = on + RuleFitlerAlert = reject), but for some blocked messages notifications are not received by the sender and the administrator receives two messages: 16) I have Dr.Web for Sendmail (version prior to 4.30.1 or compiled from the supplied source code) installed. Sometimes the filter terminates without any visible reasons. What can it be? 17) I have the Dr.Web mail filter installed. For infected objects the discard action (Infected = discard) is set, but notifications are still received. Why? I don't want them to be sent. 18) I have installed your mail filter and sent a message with a virus (a friend of mine has given it to me). The virus was detected, but only the administrator has received a notification, though I have enabled notifications for all. Why is that? 19) I have Dr.Web Daemon & Dr.Web for Sendmail installed. The mail messages are not checked for viruses and the mail log has the following entries: ... Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: milter_read(drweb-filter): cmd read returned 4, expecting 5 20) I have received an interesting file called "something.jpg .exe". The on-line check reports it is clean. Where can I check it? 21) I have installed a mail filter, but notifications are received by the administrator only, though in drweb_{mta}.conf: ... [VirusNotification] SenderNotify = yes RcptsNotify = yes AdminNotify = yes ... the masks are specified and available. What is the reason of the problem? 22 It is difficult to understand your licensing policy. Which programs and licenses are suitable for what? 23) FreeBSD 4.x (x =< 7) system. I have installed version 4.31 and receive: /usr/libexec/ld-elf.so.1: Undefined symbol "__stdoutp" referenced from COPY relocation in /usr/local/drweb/drweb-smf 24) I have installed Dr.Web for Sendmail, but it does not check the mail. The daemon log reads: === Daemon is loaded, active interfaces: 127.0.0.1:3000 Unknown command received: 13 === or === Daemon is installed, active interfaces: 127.0.0.1:3000 Unknown command received: 13! === What should I do ? 25) The FreeBSD system. The rules filter (RejectCondition) in daemon does not work if the Russian language is used in rules? What should I do? 26) I decided to check the Dr.Web filter at http://www.testvirus.org, but in 25 tests made Dr.Web have missed some variants. How can you comment this? 27) After installing some virus database update version 4.29.2 (4.29.5) has got trapped at a large amount of messages. Why? 28) I have installed Dr.Web Daemon and Dr.Web Filter for Sendmail. It seems to be configured properly but filter doesn't run and I see folling messages in /var/log/messages: Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to bind to port 3000@localhost: Address already in use Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to create listening socket on conn 3000@localhost or Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to bind to port local:/var/drweb/run/.daemon: Address already in use Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to create listening socket on conn local:/var/drweb/run/.daemon 29) I have installed Dr.Web daemon and mail filter. Sometimes I receive alerts about unchecked messages with reason: === The filter cannot connect to the DrWEB daemon === What can I do to avoid this problem ? 30) I have installed 4.32.x Dr.Web daemon and mail filter. I think I have discovered a bug: a user sends a partial message, the message is delivered but user receives a notification. Action for "skipped" objects is "pass". Contents: ~~~~~~~~~ 0) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: Why should I upgrade? The old version works perfectly. A: It will work for the some time only. There are several reasons for an upgrade: - the new virus search module (drweb32.dll) is used in new versions; some new features can be added: new packers (for example, in version 4.30 the FSG packer), new archivers (example: 4.30 - LHA), new curing procedures of viruses (it is more important for Windows versions, though), and the old version may not detect much of new viruses (example: 4.29 does not detect Win32.HLLM.Dumaru, as it is packed with FSG). - though the updates within the main version (4.29 and 4.30 have a common main version 4.xx) are compatible, the efficiency and ability to detect viruses by old versions with new updates are not tested. 1) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: The è virus is not detected. Why? A: Firstly, try to scan the virus at our on-line virus check on http://online.drweb.com. If the virus is not detected, then send it to our virus analyzers. If the virus is detected, then make sure that: 1) all bases are enabled (the most common mistake with the main base drwebase.vdb). --- Fri Feb 1 14:45:26 2002 Key file: /etc/drweb/drwebd.key Fri Feb 1 14:45:26 2002 Registration info: Fri Feb 1 14:45:26 2002 0100000002 Fri Feb 1 14:45:26 2002 Evaluation Key (ID Anti-Virus Lab. Ltd, St.Petersburg) Fri Feb 1 14:45:26 2002 This is an EVALUATION version with limited functionality! Fri Feb 1 14:45:26 2002 To get your registration key, call regional dealer. Fri Feb 1 14:45:26 2002 Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 56 Fri Feb 1 14:45:27 2002 Loading /var/drweb/bases/drw42702.vdb - Ok, virus records: 116 Fri Feb 1 14:45:27 2002 Loading /var/drweb/bases/drw42701.vdb - Ok, virus records: 90 Fri Feb 1 14:45:28 2002 Daemon is installed, TCP socket created on port 3000 2) a valid key is loaded (it can also be a trial key) Note: starting from version 4.30 the daemon will not be loaded if a valid key is not found. Examples when the key is not loaded: --- there is no key at all, for example, the wrong path is set Fri Feb 1 14:43:33 2002 This is an EVALUATION version with limited functionality! Fri Feb 1 14:43:33 2002 To get your registration key, call regional dealer. Fri Feb 1 14:43:33 2002 Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 56 Fri Feb 1 14:43:34 2002 Loading /var/drweb/bases/drw42702.vdb - Ok, virus records: 116 --- the key is incorrect (for example, the misprint in drweb32.ini) Fri Feb 1 14:45:26 2002 Key file: /etc/drweb/drweb.key Fri Feb 1 14:45:26 2002 Registration info: Fri Feb 1 14:45:26 2002 0100000002 Fri Feb 1 14:45:26 2002 Evaluation Key (ID Anti-Virus Lab. Ltd, St.Petersburg) Fri Feb 1 14:43:33 2002 Registration key mismatches application! Fri Feb 1 14:45:26 2002 This is an EVALUATION version with limited functionality! Fri Feb 1 14:45:26 2002 To get your registration key, call regional dealer. Fri Feb 1 14:45:26 2002 Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 56 Fri Feb 1 14:45:27 2002 Loading /var/drweb/bases/drw42702.vdb - Ok, virus records: 116 Fri Feb 1 14:45:27 2002 Loading /var/drweb/bases/drw42701.vdb - Ok, virus records: 90 Fri Feb 1 14:45:27 2002 Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 27860 Fri Feb 1 14:45:28 2002 Daemon is installed, TCP socket created on port 3000 When the daemon is loaded with the correct key it looks as follows: --- Fri Feb 1 14:45:26 2002 Key file: /etc/drweb/drwebd.key Fri Feb 1 14:45:26 2002 Registration info: Fri Feb 1 14:45:26 2002 0100000002 Fri Feb 1 14:45:26 2002 Evaluation Key (ID Anti-Virus Lab. Ltd, St.Petersburg) Fri Feb 1 14:45:26 2002 This is an EVALUATION version with limited functionality! Fri Feb 1 14:45:26 2002 To get your registration key, call regional dealer. Fri Feb 1 14:45:26 2002 Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 56 Fri Feb 1 14:45:27 2002 Loading /var/drweb/bases/drw42702.vdb - Ok, virus records: 116 Fri Feb 1 14:45:27 2002 Loading /var/drweb/bases/drw42701.vdb - Ok, virus records: 90 Fri Feb 1 14:45:27 2002 Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 27860 Fri Feb 1 14:45:28 2002 Daemon is installed, TCP socket created on port 3000 2) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I experience the problem: if update.pl is launched from the command line everything is updated, and nothing gets updated if it is launched from the cron, though the logs show the cron works well A: The environment variables of the cron are different, you should define the full path to wget, for example /usr/bin/wget 3) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: What is in UpdatePath? A: The path to the catalogue the new components will be stored in, which can be substituted automatically, or if the location for them is unknown (for example, new files of the Documentation). 4) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: version prior to 4.30. Log messages Jul 3 13:50:18 mail drweb-smf: dwlib: scan: message sent by is passed Jul 3 13:50:18 mail drweb-smf: [g639oGJI030655]: processing message from completed (exit code 3) What does (exit code 3) mean? A: Exit code 3 means the filter's answer to sendmail, that the message must be passed (PASS). The code is internal; it will be soon removed from the message. 5) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: One of the clients (only one) experience the following - the mail is not sent no matter how many times he presses the "Wait" button in Outlook. The following is written to the maillog by sendmail: drweb-smf: message from is aborted Please, explain, is something goes wrong with sendmail, Dr.Web or the user? A: The filter has definitely nothing to do with this situation. This message means the sendmail said the filter that all the data associated with this mail can be released - and the mail processing is interrupted. The filter cannot determine what caused the interruption of processing (the client or the sendmail). {sendmail}/libmilter/docs/xxfi_abort.html ... xxfi_abort is only called if the message is aborted OUTSIDE the filter's control and the filter has not completed its message-oriented processing. ... Hint: It is most likely, that Norton Personal Firewall or Norton Information Security (NIS) are installed; they begin every mail session with an empty message, such messages are not accepted by sendmail. Q: Yesterday evening I have disabled, just for test purposes, drweb on MTA. The result is depressing: no "aborted" up till present! A: No wonder - the filter performs such diagnostics. "Is aborted" is written by the filter when Sendmail "said" the filter to suspend the processing (for example, due to the break in connection). Check the logs before "is aborted" and, most likely, you will see the reason yourself. 6) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have installed drweb with qmail. But the sender of a virus receives two messages: the one reads that there is a virus in the message, the other - that the message can not be delivered: Remote host said: 554 mail server permanently rejected message (#5.3.0) Can I somehow disable sending of such message as the user may think there is an error on the server A: This is a problem (or maybe not a problem) with all filters. And there is a strong reason to do it as it is done now: the mail message MUST NOT disappear. If to enable the discard option (that is what you propose, i.e. to accept the virus, not to move it somewhere, write a notification and say that everything is ïë), then the message will disappear. 7) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: What do the question marks in drweb-smf.log mean? Nov 26 14:36:13 proba drweb-smf: [???]: ... A: This means, that the filter could not define the message-id (this is an internal ID for sendmail) of this message. In version 8.11 of sendmail this could not be avoided, in sendmail-8.12, to enable the filter to write sendmail's message-id to the log you have to add the following line should be included to sendmail.cf: ------------------- cut --------------------- O Milter.macros.envfrom=i, ... ------------------- cut --------------------- (the dots mean other parameters, their values are not important). 8) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: What does the Expires= and the SubscriptionExpires= fields in the key file (for example drwebd.key) mean? A: 1. The key will work with all versions issued before the SubscriptionExpires date, and during this term there is a possibility to update from the commercial updates area (for more details contact the distributor). 2. The key becomes null and void after the Expires date, starting from version 4.30 the daemon will not be loaded at all, the prior versions shifted to the "without key" mode (when the mail was not checked). 9) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: Do databases of version 4.31 match the bases of version 4.30? A: It is best to upgrade. Why? Read the answer to question #0 of this FAQ. Only adds-on are compatible, the main bases are NOT compatible; thus the set of the loaded bases for version 4.30 is as follows: + drwebase.vdb v.4.30 + all adds-on v.4.30 (drw430xx.vdb xx=01..26) + all adds-on v.4.31,(drw430yy.vdb yy=02..current) !Important drw43101.vdb is not necessary in v.4.30 + drwtoday.vdb The standard updating script update.pl creates this very configuration of bases... 10) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Definitions in question: $MTA - the name of the mail system (CGP, Sendmail, Postfix and so on) $ARCHIVE_NAME - the name of the archive in the message (for example docs.zip, demo.ppt and so on) $FILE_IN_ARCHIVE - the name o the file inside the archive (for example otchet.doc, Storage0 and so on) Q: I have an $MTA and mail filter installed on the server. Today I receive a message which reads as follows: --- cut --- This message was not delivered as an object breaking the restrictions set for archives has been found. Sender = sender@domain.com Recipients = receiver@domain.com Subject = Subject Identificator = msg-id-NNNN@domain.com --- Dr.Web report --- Detailed Dr.Web report: ... drweb.tmp.60gkxo/$ARCHIVE_NAME/$FILE_IN_ARCHIVE - compression ratio is too high (2770944 : 35154) ... Dr.Web Scanning statistics: Evaluation key used ! Archive restriction : 21 --- cut --- What does it mean and what should I do in this situation? A: This means, that in drweb_$MTA.conf: [Actions] ArchiveRestriction = reject or quarantine And in drweb32.ini: [Daemon] ... The MaxCompressionRatio is less than 78 (divide 2770944 by 35154) Below goes what you should do: There are two solutions of the problem: Á) Expand the MaxCompressionRatio (say, to 200-500) and restart the daemon. You can also comment the parameter (which means it should be infinite). But mind, that in this case an attack at your mail system with the aim to temporary disable it becomes possible; when a malefactor will send the so-called "mail bombs", their check will take a substantial time and a huge portion (or even all) disk space. Â) Set ArchiveRestriction = pass In this case, the virus can be sent inside the archive, if it can be compressed more than the MaxCompressionRatio (a script virus, for example). 11) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I tried to bundle Dr.Web with Postfix. The mail does not goes through at all. When I have checked the logs one line seemed suspicious Jul 17 12:55:01 mailhub sendmail[29437]: h6H9t0sh029437: Authentication-Warning: host.domain.tld: drweb set sender or: Apr 20 17:32:31 mailhub sendmail[33617]: h3KDWVlV033617: from=name@example.com, size=38592, class=0, nrcpts=1, msgid=, relay=drweb@localhost What can be the reason of the problem? A: The reason lies in incorrect mail system setting: sendmail[....]: .... - this log belongs to sendmail (www.sendmail.org), but not to the postfix substitutor of sendmail (it is supplied with postfix). That is why in drweb_postfix.conf: [Mailer] Sendmail = ... Set the path to the postfix substitutor of sendmail. For example, if installed using the source code it is located somewhere in /usr/libexec/postfix/sendmail PS: By the way, it is quite strange that you have postfix, but in /usr/sbin the real sendmail is located. 12) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have drweb-sendmail-4.30 installed. From time to time the following error message is displayed: Nov 9 22:55:49 mail drweb-smf: drweb_smf.c(667) - FATAL ERROR: cannot extract private data from context Please, explain! A: This is an error. To remove it, you can either 1. set drweb_smf.conf: HeloInReceived = no 2. or upgrade the version. 13) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: When a message with a file attached is sent, the daemon checks all correctly, here goes an extract of the log: Nov 5 14:59:27 relay sendmail[22756]: hA5CxRIm022756: from=, size=15600, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=domain.tld [10.0.0.1] But, when the same message is sent, NAV checks out-going messages (the clinet from which I sent the message from) and the following is reported: Nov 5 14:58:48 relay sendmail[22751]: hA5CwlIm022751:from=, size=0, class=0, nrcpts=1,proto=ESMTP, daemon=MTA, relay=domain.tld [10.0.0.2] Nov 5 14:58:48 relay drweb-smf: [hA5CwlIm022751]: message from foo@example.com is aborted A: NAV is trying, for some reason, (I don't know why) to send an empty message, i.e. it is completely empty and does not have any heading. Sendmail does not like it and it terminates the receipt of this message and notifies a filter about it. The filter simply ascertains the fact. See also the question #5 14) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have drweb-4.29.5 installed. A strange thing happened: I received a mail with Gibe.2: Wed Nov 12 08:56:20 2003 [1459] /var/spool/filter/drweb.tmp.HM5dmX/[text:html] - Ok Wed Nov 12 08:56:20 2003 [1459] >>/var/spool/filter/drweb.tmp.HM5dmX/cgmgf.exe - Ok At the same time, on-line check (http://online.drweb.com): ... cgmgf.exe packed by UPX >cgmgf.exe infected with Win32.HLLM.Gibe.2 Scan report for "cgmgf.exe": Scanned : 1 Cured : 0 Infected : 1 Deleted : 0 ... Here goes the daemon load log: Wed Nov 12 04:02:07 2003 SIGHUP received, reloading... Wed Nov 12 04:02:07 2003 Dr.Web (R) daemon for Linux, version 4.29.5 (January 6, 2003) ... Wed Nov 12 04:02:08 2003 Key file: /opt/drweb/drwebd.key Wed Nov 12 04:02:08 2003 Registration info: Wed Nov 12 04:02:08 2003 0100000003 Wed Nov 12 04:02:08 2003 Evaluation key ID Anti-virus Lab St.Petersburg Wed Nov 12 04:02:08 2003 Your registration key has expired! ... Wed Nov 12 04:02:08 2003 This is an EVALUATION version with limited ... A: The demo-keys are issued: Á) for a particular version, i.e. the key for another version will not be valid b) they are valid for a limited period of time (on 01.02.2004 this term equals to 1 year), after its expiration the key becomes void. The cited error message says that the daemon will operate without the key, it will detect only the unpacked viruses. By the way, starting from version 4.30 the daemon will not be loaded if the valid key is not available. And here is an explanation why the viruses are not detected. The first level MIME is unpacked without the key (this is an error of version 4.29.È), but all other checks follow the key permissions, accordingly, all archives (RAR, ZIP, etc.), and packers UPX, DIET, etc.) and attached MIMEs are not checked. 15) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have Dr.Web daemon + Dr.Web for CommuniGate Pro installed; the headings filtering is enabled (RuleFilter = on + RuleFitlerAlert = reject), but for some blocked messages notifications are not received by a sender, but the administrator receives two messages: Subject: Rule rejected message Date: Thu, 13 Nov 2003 17:18:02 +0300 From: DrWeb-DAEMON To: System Administrator Sender = <> (may be forged) Recipients = postmaster@example.com ... A: This happens, if, among the rules, there are rules regulating the Subject: header. As CommuniGate Pro in the notification to a sender (and the administrator) uses the old header, the notifications have been also blocked by the filter. 16) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have Dr.Web for Sendmail (version prior to 4.30.1 or compiled from the source code) installed. Sometimes the filter terminates without any visible reasons. What can it be? A: Yes, this may happen. The reason lies in the libmilter (written by the sendmail authors). It usually happens when the server is overloaded, then system logs may have the messages as follows: Nov 20 19:54:09 name drweb-smf: Dr.WEB Sendmail filter VER: malloc(ctx) failed (12), abort ÉÌÉ Nov 20 19:54:09 name drweb-smf: Dr.WEB Sendmail filter VER: thread_create() failed: 11, abort Starting from version 4.30.1 we use the modified version of the libmilter. We also issued a patch for the original version of sendmail-8.12.9. There is no other way of solution of the problem so far. Write to us if you believe this is not the reason of the filter termination, we shall examine the case. 17) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have the Dr.Web mail filter installed. For the infected objects the discard action (Infected = discard) is set, but notifications are still received. Why? I don't want them to be sent. A: The actions set in the [Actions] section and the notifications set in the [...Notifications] sections work independently: the action is needed for the filter to know what to answer your mail server; the notifications may be sent not depending upon the action set (Exception: the pass action - notifications are not sent). Thus, if you do not want to receive notifications you should disable them in the correspondent section. For your particular case: [VirusNotifications] SenderNotify = no AdminNotify = no RcptsNotify = no ... 18) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have installed your mail filter and sent a message with a virus (a friend of mine has given it to me). The virus was detected, but only the administrator has received a notification, though I have enabled notifications for all. Why is that? A: Most likely, the notification policy for the virus you have sent, is changed in the configuration file /etc/drweb/viruses.conf (more precisely, with the help of the configuration file defined in the UnnotificableVirusesList parameter in the main configuration file). 19) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have Dr.Web Daemon & Dr.Web for Sendmail installed. The mail messages are not checked for viruses and the mail log has the following entries: ... Nov 24 19:11:20 vulture sendmail[873]: /etc/mail/aliases: 37 aliases, longest 12 bytes, 423 bytes total Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: milter_read(drweb-filter): cmd read returned 4, expecting 5 Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: Milter (drweb-filter): to error state Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: Milter (drweb-filter): init failed to open Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: Milter (drweb-filter): to error state Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: from=, size=803, class=0, nrcpts=1, msgid=<60270330044.20031124191101@100h.ru>, proto=ESMTP, daemon=MTA, relay=[192.168.*.**] Nov 24 19:11:48 vulture sendmail[880]: hAO9Bmvr000878: to=, ctladdr= (1012/6), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31026, relay=local, dsn=2.0.0, stat=Sent A: You have connected the filter incorrectly. In sendmail.cf (.mc) you have defined the address of the daemon (drwebd), but you should define the address where the filter (drweb-smf) will wait for requests from sendmail - the same address is listed in the MilterAddress parameter in the [Mailer] section of file drweb_smf.conf. The daemon address is shown in drweb32.ini in the Socket parameter and in the Address parameter of the [DaemonCommunication] section of drweb_smf.conf. Besides, to generate the correct additions to sendmail.cf (.mc) And the script for the automatic filter startup you can use the {drweb}/doc/sendmail/configure utility. 20) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have received an interesting file called "something.jpg .exe". The on-line check reports it is clean. Where can I check it? A: There is an address for suspicious files and attachments: newvirus@drweb.com. It is best to pack the suspicious file in the password-protected archive. Please include the password and the brief information on your suspicions in the accompanying message. 21) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have installed a mail filter, but notifications are received by the administrator only, though in drweb_{mta}.conf: ... [VirusNotification] SenderNotify = yes RcptsNotify = yes AdminNotify = yes ... the masks are specified and available. What is the reason of the problem? A: The reason is that most viruses received through the mail are the so-called "worms", the notifications policy for such viruses is changed in viruses.conf (or in the file defined in drweb_{mta}.conf -> [Actions] -> UnnotificableVirusesList) (the entry Win32.HLLM). The reason is that the "worms" usually spoof the sender's addresses and the recipient's address is randomly chosen (from the victim's address book, as a rule). That's why the notification to a sender is considered as a "spam". 22) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: It is difficult to understand what kind of program and license you offer is needed for? A: At present, there are three types of programs available: - scanner (drweb) - daemon (drwebd) - mail filters (drweb-smf, drweb-postfix, ...) and file filters(smb_spider, drweb-icapd) The scanner checks files on the drive. The list of files to be checked is either specified in the parameters, or is read from a standard input stream. You need a separate license for the scanner. Filters do not check themselves, they can only "intercept" the mail (CommuniGate, Sendmail, ... ) and files (Samba, Squid) from correspondent programs. There is no need in separate license for them. And more, the source codes for some of them are available at our site. Thus, without active daemon the filters are useless. The Daemon checks the files on the drive and the data received through the network connections from filters or other programs on a special protocol. There are two types of licenses for the daemon - the "mail license" (it checks addresses and traffic) and the "file license". You need the "mail license" if the daemon will be bundled with mail filters. You need the "file license" if the daemon will be bundled with file filters (Samba, Squid). PS: If the "file license" is purchased the daemon will NOT check the mail, and visa versa. You can buy both licenses with one key. 23) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: The FreeBSD 4.x (x =< 7) system. I have installed version 4.31 and receive: /usr/local/drweb > ./drweb-smf.sh start /usr/libexec/ld-elf.so.1: Undefined symbol "__stdoutp" referenced from COPY relocation in /usr/local/drweb/drweb-smf What should I do? A: Use drweb-smf.static, the same goes with other filters. 24) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have installed Dr.Web Sendmail, but it does not check the mail. The daemon log reads: === Daemon is installed, active interfaces: 127.0.0.1:3000 Unknown command received: 13! === (asv: or, if the use of russian.dwl is enabled) === Daemon is loaded, active interfaces: 127.0.0.1:3000 Unknown command received: 13 === What should I do? A: Read the answer to question #19, your experience the same problem. 25) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: The FreeBSD system. The rules filter (RejectCondition) in daemon does not work if the Russian language is used in rules? What should I do? A: Firstly, the rules should be set in the KOI8-R encoding. Secondly, understand, that if the header you want to filter (for example, Subject:) is 8bit encoded (which means it breaks the standard for mail, as it must be encoded =?koi8-r?B?..?= or =?cp1251?Q?..?=, i.e. you have to specify the encoding), it will be compared without taking into account the encoding. Such messages (8bit encoded) can also be blocked by the filter: RejectCondition Subject = "8bit" And finally, the locale should be correctly set to KOI8-R for the user with whose rights the daemon is launched: 1. Add to file /etc/login.conf (though it is usually present): # # Russian Users Accounts. Setup proper environment variables. # russian:Russian Users Accounts:\ :charset=KOI8-R:\ :lang=ru_RU.KOI8-R:\ :tc=default: For updating /etc/login.conf.db: # cap_mkdb /etc/login.conf 2. Now, the drweb user should indicate that it belongs to class russian: # pw usermod drweb -L russian 3. Sometimes it is necessary, in the daemon launching script, to add before the line "case "$1" in" LC_ALL=ru_RU.KOI8-R export LC_ALL 4. Restart the daemon... 26) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I decided to check the Dr.Web filter at http://www.testvirus.org, but in 25 tests made Dr.Web have missed some variants. What can you say to that? A: As on May 19, 2004, as the site could have changed, and the tests as well, we have missed the following tests: Test #12: Eicar virus within a password protected ZIP file Test #24: Test for the "Partial (Fragmented) Vulnerability". This does not include Eicar virus, but your mail server still must block this since it can break a virus into multiple emails and reassemble it in your inbox. - It may be blocked, if the SkipObject option is switched from pass to any other action Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat) - The TNEF format is not parsed at present. Test #25: Attachment with a CLSID extension, which may hide the real file extension. This does not include the Eicar virus, but your mail server still must block this since it can hide the true extension of a file - The message does not contain a viral code. Test #16: Eicar string in HTML, to ensure that your mail server scans HTML segments Test #19: Eicar virus within zip file hidden using the "Blank Folding Vulnerability" Test #21: Eicar virus within zip file hidden using the "Long MIME Boundary Vulnerability" Test #23: Eicar virus within zip file hidden using the "Empty MIME Boundary Vulnerability" - Being such, the virus is not dangerous and will not proliferate, it can simply be called a garbage. By the way, in samples #16 and #21 the scanner does detect the virus, but the daemon parses the mail more quickly and simply. 27) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: After the usual update the version 4.29.2 (or 4.29.5) has become unstable under high load (large number of messages) Why? A: The problem does not lie in bases, (this can easily be checked if to launch the daemon from the main base only and the "problem" update); this is an error of version 4.29 (particularly, of drweb32.dll of version 4.29). Thus, the upgrade is the only possible solution, as we do not issue fixes for old versions. The reason is explained in question #0. 28) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I've installed Dr.Web Daemon and Dr.Web Filter for Sendmail. It seems to be configured properly but filter doesn't run and I see folling messages in /var/log/messages: Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to bind to port 3000@localhost: Address already in use Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to create listening socket on conn 3000@localhost or Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to bind to port local:/var/drweb/run/.daemon: Address already in use Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to create listening socket on conn local:/var/drweb/run/.daemon A: You have speficied Dr.Web Daemons connections definition in option MilterAddress (section [Mailer] of drweb_smf.conf) instead definition of connection is used for communication between filter and sendmail (this definition also is specified in sendmail.cf). So you should have something like this: in drweb32.ini Socket = 3000 localhost in drweb_smf.conf: [DaemonCommunication] Address = inet:3000@localhost ... [Mailer] ... MilterAddress = inet:3001@localhost and in sendmail.cf: Xdrweb-filter, S=inet:3001@localhost, F=T, T=C:1m;S:5m;R:5m;E:1h 29) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I have installed Dr.Web daemon and mail filter. Sometimes I receive alerts about unchecked messages with reason: === The filter cannot connect to the DrWEB daemon === What can I do to avoid this problem ? A: We have known two general reason for this problem: a) Daemons incoming queue overflows if load has sharply increased. b) Daemon is not ready for some reasons. So you have two ways to avoid these problems. Second way more general and reliable. i) Use two or more sockets for communication between daemon and filter. Configurations example: drweb32.ini: Socket = /var/drweb/run/.drwebd Socket = 3000 localhost drweb_{mta}.conf: ({mta} = smf, cgp, postfix, exim, qmail, zmailer, courier or mio) [DaemonCommunication] Address = local:/var/drweb/run/.drwebd, inet:3000@localhost ii) Use reserved daemon (on same host or on another host that more reliable) would smooth load burstness or works while first daemon is not ready. Configurations example: drweb_{mta}.conf: ({mta} = smf, cgp, postfix, exim, qmail, zmailer, courier or mio) [DaemonCommunication] Address = local:/var/drweb/run/.drwebd, inet:3000@another.myhost.example.com NOTE: LocalScan mode is not available for second socket in filter even if socket is used by daemon is installed on same host. See daemon and filter documentation for details. 30) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Q: I've installed the 4.32 version of Dr.Web for mail servers. I has received strange notification: Dear User, the message with following attributes has not been delivered, because contains an object which cannot be checked by antivirus filter. Relaying such messages is blocked by administrator. Sender = $SENDER$ Recipients = $RCPTS$ Subject = $SUBJECT$ Message-ID = $MSGID$ Antivirus filter report: --- Dr.Web report --- Dr.Web detailed report: drweb.tmp.rQ8gYw - partial message, skipped --- Dr.Web report --- Please contact but I know that message has been delivered, and I've following settings: [Scanning] SkipObject = pass [SkipNotifications] SenderNotify = yes AdminNotify = no RcptsNotify = no SenderTemplate = /etc/drweb/templates/en-ru/sendmail/skip-sender.msg AdminTemplate = RcptsTemplate = Is this a bug ? A: No. Since 4.32, a notification is written independently from a taken action for a message. Now only one control mechanism - [SkipNotifications] section in the drweb_{mta}.conf, in previous versions, there are no notifications if action was 'pass'. Of course, default templates were written for actions reject\discard. I believe You'd received this message as administrator not as sender\recipient. You can check the last part in this notification for headers of the original message. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Author: Sergey Akhapkin $Revision: 1.3 $ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~