server/opt/drweb/doc/daemon/FAQ

Contents:
~~~~~~~~~
0) Why should I upgrade my drwebd version? The old version works perfectly.

1) The è virus is not detected. Why?

2) I experience the following problem: if update.pl is launched from the command line everything is updated, 
and nothing gets updated if it is launched from the cron, though the logs show the cron completes its tasks 
without fault...

3) What is in the UpdatePath? 

4) Version prior to 4.30. The log shows
   Jul 3 13:50:18 mail drweb-smf: dwlib: scan: message sent by <alex@gamma> is passed
   Jul 3 13:50:18 mail drweb-smf: [g639oGJI030655]: processing message from <alex@gamma> completed (exit code 3)
   What does (exit code 3) mean? 

5) One of my clients (and only one!) experiences the following -
   mail is not sent no matter how many times 
   he presses the "Wait" button in Outlook.
   The following is written to the maillog by sendmail:
   drweb-smf: message from <address@domain> is aborted
   Please explain if something goes wrong with sendmail or Dr.Web?

6) I have installed drweb with qmail. All works well, but the sender of a virus receives two messages: the one 
reads that there is a virus in the message, the other - that the message can not be delivered: Remote host 
said: 554
   mail server permanently rejected message (#5.3.0)
      Can I somehow disable sending of such messages as users may think there is an error on the server..

7) What do the question marks in drweb-smf.log mean?
   Nov 26 14:36:13 proba drweb-smf: [???]: ...

8) What do the Expires= and the SubscriptionExpires= fields 
   in the key file (for example drwebd.key) mean?

9) Can I use virus bases of version 4.30 with version 4.31?

10) drweb.tmp.60gkxo/$ARCHIVE_NAME/$FILE_IN_ARCHIVE - compression ratio is too high (2770944 : 
35154)
    ...
    Dr.Web scanning statistics:
    Evaluation key used !
    Archive restriction : 21
    ...

What does it mean and what should I do in this situation?


11) I tried to bundle  Dr.Web and Postfix. The mail does not go through at all. 
When I have checked the logs one line seemed suspicious
Jul 17 12:55:01 mailhub sendmail[29437]: h6H9t0sh029437: Authentication-Warning: host.domain.tld: drweb 
set sender
or:
Apr 20 17:32:31 mailhub sendmail[33617]: h3KDWVlV033617: from=name@example.com, size=38592, 
class=0, nrcpts=1, msgid=<msg-id4358035@example.com>, relay=drweb@localhost                                       
What can be the reason of the problem?

12) I have drweb-sendmail-4.30 installed. From time to time the following error message is displayed:
Nov 9 22:55:49 mail drweb-smf: drweb_smf.c(667) - FATAL ERROR: cannot extract private data from 
context
Please, explain!

13) When a message with a file attached is sent, the daemon checks all correctly, here goes an extract of 
the log:
Nov 5 14:59:27 relay sendmail[22756]: hA5CxRIm022756: from=<foo@example.com>, size=15600, 
class=0, nrcpts=1, msgid=<msg-id#@example.com>, proto=ESMTP, daemon=MTA, relay=domain.tld 
[10.0.0.1]

But, when the same message is sent and  NAV scans all outgoing messages (the clinet from which I sent 
the message from) the following is reported:

Nov 5 14:58:48 relay sendmail[22751]: hA5CwlIm022751:from=<foo@example.com>, size=0, class=0, 
nrcpts=1,proto=ESMTP, daemon=MTA, relay=domain.tld [10.0.0.2]
Nov 5 14:58:48 relay drweb-smf: [hA5CwlIm022751]: message from foo@example.com is aborted
s

14) I have drweb-4.29.5 installed. A strange thing happened: I received a mail with Gibe.2:

    Wed Nov 12 08:56:20 2003 [1459] /var/spool/filter/drweb.tmp.HM5dmX/[text:html] - Ok                        
    Wed Nov 12 08:56:20 2003 [1459] >>/var/spool/filter/drweb.tmp.HM5dmX/cgmgf.exe - Ok   

    At the same time, the on-line check (http://online.drweb.com):
    ...
    cgmgf.exe packed by UPX
    >cgmgf.exe infected with Win32.HLLM.Gibe.2

15) I have Dr.Web daemon + Dr.Web for CGP installed; the headings filtering is enabled (RuleFilter = on + 
RuleFitlerAlert = reject),
but for some blocked messages notifications are not received by the sender and the administrator receives 
two messages:

16) I have Dr.Web for Sendmail (version prior to 4.30.1 or compiled from the supplied source code) installed. 
Sometimes the filter terminates without any visible reasons. What can it be?


17) I have the Dr.Web mail filter installed. For infected objects the discard action (Infected = discard) is set, 
but notifications are still received. Why?  I don't want them to be sent.


18) I have installed your mail filter and sent a message with a virus (a friend of mine has given it to me). The 
virus was detected, but only the administrator has received a notification, though I have enabled notifications 
for all. Why is that?


19) I have Dr.Web Daemon & Dr.Web for Sendmail installed. The mail messages are not checked for 
viruses and the mail log has the following entries:
    ...
    Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: milter_read(drweb-filter): cmd read returned 
4, expecting 5

20) I have received an interesting file called "something.jpg      .exe". The on-line check reports it is clean. 
Where can I check it?

21) I have installed a mail filter, but notifications are received by the administrator only, though in 
drweb_{mta}.conf:
...
[VirusNotification]
SenderNotify = yes
RcptsNotify = yes
AdminNotify = yes
...
the masks are specified and available. What is the reason of the problem?


22 It is difficult to understand your licensing policy. Which programs and licenses are suitable for what?

23) FreeBSD 4.x (x =< 7) system. I have installed version 4.31 and receive:
/usr/libexec/ld-elf.so.1: Undefined symbol "__stdoutp"
    referenced from COPY relocation in /usr/local/drweb/drweb-smf

24) I have installed Dr.Web for Sendmail, but it does not check the mail. The daemon log reads:    
    ===
    Daemon is loaded, active interfaces:  127.0.0.1:3000
    Unknown command received: 13
    ===
or
    ===
    Daemon is installed, active interfaces:  127.0.0.1:3000
    Unknown command received: 13!
    ===
What should I do ?

25) The FreeBSD system. The rules filter (RejectCondition) in daemon does not work if the Russian 
language is used in rules? What should I do?

26) I decided to check the Dr.Web filter at http://www.testvirus.org, but in 25 tests made Dr.Web have 
missed some variants. How can you comment this?

27) After installing some virus database update version 4.29.2 (4.29.5) has got trapped at a large amount of 
messages. Why?

28) I have installed Dr.Web Daemon and Dr.Web Filter for Sendmail. It seems to be configured
properly but filter doesn't run and I see folling messages in /var/log/messages:
 Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to bind to port 3000@localhost: Address already in use
 Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to create listening socket on conn 3000@localhost
or 
 Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to bind to port local:/var/drweb/run/.daemon: Address already in use
 Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to create listening socket on conn local:/var/drweb/run/.daemon

29) I have installed Dr.Web daemon and mail filter. Sometimes I receive alerts about
unchecked messages with reason:
===
 The filter cannot connect to the DrWEB daemon
===
What can I do to avoid this problem ?

30) I have installed 4.32.x Dr.Web daemon and mail filter. I think I have discovered a bug:
a user sends a partial message, the message is delivered but user receives a notification.
Action for "skipped" objects is "pass".

Contents:
~~~~~~~~~
0) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: Why should I upgrade? The old version works perfectly.

A: It will work for the some time only. There are several reasons for an upgrade:
- the new virus search module (drweb32.dll) is used in new versions; some new features can be added: new 
packers (for example, in version 4.30 the FSG packer), new archivers (example: 4.30 - LHA), new curing 
procedures of viruses (it is more important for Windows versions, though), and the old version may not 
detect much of new viruses (example: 4.29 does not detect Win32.HLLM.Dumaru, as it is packed with FSG).
- though the updates within the main version (4.29 and 4.30 have a common main version 4.xx) are 
compatible, the efficiency and ability to detect viruses by old versions with new updates are not tested.


1) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: The è virus is not detected. Why?

A: Firstly, try to scan the virus at our on-line virus check on http://online.drweb.com. If the virus is not 
detected, then send it to our virus analyzers. If the virus is detected, then make sure that:
1) all bases are enabled (the most common mistake with the main base drwebase.vdb).
---
Fri Feb  1 14:45:26 2002 Key file: /etc/drweb/drwebd.key
Fri Feb  1 14:45:26 2002 Registration info:
Fri Feb  1 14:45:26 2002 0100000002
Fri Feb  1 14:45:26 2002 Evaluation Key (ID Anti-Virus Lab. Ltd, St.Petersburg)
Fri Feb  1 14:45:26 2002 This is an EVALUATION version with limited functionality!
Fri Feb  1 14:45:26 2002 To get your registration key, call regional dealer.
Fri Feb  1 14:45:26 2002 Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 56
Fri Feb  1 14:45:27 2002 Loading /var/drweb/bases/drw42702.vdb - Ok, virus records: 116
Fri Feb  1 14:45:27 2002 Loading /var/drweb/bases/drw42701.vdb - Ok, virus records: 90
Fri Feb  1 14:45:28 2002 Daemon is installed, TCP socket created on port 3000

2) a valid key is loaded (it can also be a trial  key)
Note: starting from version 4.30 the daemon will not be loaded if a valid key is not found. 
Examples when the key is not loaded:
--- there is no key at all, for example, the wrong path is set
Fri Feb  1 14:43:33 2002 This is an EVALUATION version with limited functionality!
Fri Feb  1 14:43:33 2002 To get your registration key, call regional dealer.
Fri Feb  1 14:43:33 2002 Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 56
Fri Feb  1 14:43:34 2002 Loading /var/drweb/bases/drw42702.vdb - Ok, virus records: 116
--- the key is incorrect (for example, the misprint in drweb32.ini)
Fri Feb  1 14:45:26 2002 Key file: /etc/drweb/drweb.key
Fri Feb  1 14:45:26 2002 Registration info:
Fri Feb  1 14:45:26 2002 0100000002
Fri Feb  1 14:45:26 2002 Evaluation Key (ID Anti-Virus Lab. Ltd, St.Petersburg)
Fri Feb  1 14:43:33 2002 Registration key mismatches application!
Fri Feb  1 14:45:26 2002 This is an EVALUATION version with limited functionality!
Fri Feb  1 14:45:26 2002 To get your registration key, call regional dealer.
Fri Feb  1 14:45:26 2002 Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 56
Fri Feb  1 14:45:27 2002 Loading /var/drweb/bases/drw42702.vdb - Ok, virus records: 116
Fri Feb  1 14:45:27 2002 Loading /var/drweb/bases/drw42701.vdb - Ok, virus records: 90
Fri Feb  1 14:45:27 2002 Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 27860
Fri Feb  1 14:45:28 2002 Daemon is installed, TCP socket created on port 3000

When the daemon is loaded with the correct key it looks as follows:
---
Fri Feb  1 14:45:26 2002 Key file: /etc/drweb/drwebd.key
Fri Feb  1 14:45:26 2002 Registration info:
Fri Feb  1 14:45:26 2002 0100000002
Fri Feb  1 14:45:26 2002 Evaluation Key (ID Anti-Virus Lab. Ltd, St.Petersburg)
Fri Feb  1 14:45:26 2002 This is an EVALUATION version with limited functionality!
Fri Feb  1 14:45:26 2002 To get your registration key, call regional dealer.
Fri Feb  1 14:45:26 2002 Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 56
Fri Feb  1 14:45:27 2002 Loading /var/drweb/bases/drw42702.vdb - Ok, virus records: 116
Fri Feb  1 14:45:27 2002 Loading /var/drweb/bases/drw42701.vdb - Ok, virus records: 90
Fri Feb  1 14:45:27 2002 Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 27860
Fri Feb  1 14:45:28 2002 Daemon is installed, TCP socket created on port 3000

2) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I experience the problem: if update.pl is launched from the command line everything is updated, and 
nothing gets updated if it is launched from the cron, though the logs show the cron works well 

A: The environment variables of the cron are different, you should define the full path to wget, 
for example /usr/bin/wget 

3) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: What is in UpdatePath? 

A: The path to the catalogue the new components will be stored in, which can be substituted automatically, 
or if the location for them is unknown (for example, new files of the Documentation).

4) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: version prior to 4.30. Log messages
   Jul 3 13:50:18 mail drweb-smf: dwlib: scan: message sent by <alex@gamma> is passed
   Jul 3 13:50:18 mail drweb-smf: [g639oGJI030655]: processing message from <alex@gamma> completed 
(exit code 3)
   What does (exit code 3) mean? 

A: Exit code 3 means the filter's answer to sendmail, that the message must be passed (PASS). The code is 
internal; it will be soon removed from the message.

5) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: One of the clients (only one) experience the following - 
   the mail is not sent no matter how many times he 
   presses the "Wait" button in Outlook.
   The following is written to the maillog by sendmail:
   drweb-smf: message from <address@domain> is aborted
   Please, explain, is something goes wrong with sendmail, Dr.Web or the user?


A: The filter has definitely nothing to do with this situation. This message means the sendmail said the filter 
that all the data associated with this mail can be released - and the mail processing is interrupted. The filter 
cannot determine what caused the interruption of processing (the client or the sendmail).
{sendmail}/libmilter/docs/xxfi_abort.html
        ...
	xxfi_abort is only called if the message is aborted OUTSIDE the
	filter's control and the filter has not completed its
	message-oriented processing. ...

Hint: It is most likely, that Norton Personal Firewall
or Norton Information Security (NIS) are installed; they begin every mail session with an empty message, 
such messages are not accepted by sendmail.

Q: Yesterday evening I have disabled, just for test purposes, drweb on MTA.
   The result is depressing: no "aborted" up till present!

A: No wonder - the filter performs such  diagnostics. 
"Is aborted" is written by the filter when Sendmail "said" the filter to suspend the processing (for example, 
due to the break in connection). 
Check the logs before "is aborted" and, most likely, you will see the reason  yourself.


6) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have installed drweb with qmail. But the sender of a virus receives two messages: the one reads that 
there is a virus in the message, the other - that the message can not be delivered: Remote host said: 554
   mail server permanently rejected message (#5.3.0)
   Can I somehow disable sending of such message as the user may think there is an error on the server

A: This is a problem (or maybe not a problem) with all filters. And there is a strong reason to do it as it is 
done now: the mail message MUST NOT disappear. If to enable the discard option (that is what you 
propose, i.e. to accept the virus, not to move it somewhere, write a notification and say that everything is 
ïë), then the message will disappear.

7) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: What do the question marks in drweb-smf.log mean?
   Nov 26 14:36:13 proba drweb-smf: [???]: ...

A: This means, that the filter could not define the message-id (this is an internal ID for sendmail) of this 
message. In version 8.11 of sendmail this could not be avoided, in sendmail-8.12, to enable the filter to write 
sendmail's message-id to the log you have to add the following line should be included to sendmail.cf:

------------------- cut ---------------------
O Milter.macros.envfrom=i, ...
------------------- cut ---------------------

(the dots mean other parameters, their values are not important).

8) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: What does the Expires= and the SubscriptionExpires= fields 
   in the key file (for example drwebd.key) mean?

A: 1. The key will work with all versions issued before the SubscriptionExpires date, and during this term 
there is a possibility to update from the commercial updates area (for more details contact the distributor).
2. The key becomes null and void after the Expires date, starting from version 4.30 the daemon will not be 
loaded at all, the prior versions shifted to the "without key" mode (when the mail was not checked).

9) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: Do databases of version 4.31 match the bases of version 4.30?

A: It is best to upgrade. Why? Read the answer to question #0 of this FAQ.
Only adds-on are compatible, the main bases are NOT compatible; thus the set of the loaded bases for 
version 4.30 is as follows:
+ drwebase.vdb v.4.30
+ all adds-on v.4.30 (drw430xx.vdb xx=01..26)
+ all adds-on v.4.31,(drw430yy.vdb yy=02..current) 
  !Important drw43101.vdb is not necessary in v.4.30
+ drwtoday.vdb

The standard updating script update.pl creates this very configuration of bases...
 
10) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Definitions in question:
$MTA - the name of the mail system (CGP, Sendmail, Postfix and so on)
$ARCHIVE_NAME - the name of the archive in the message (for example docs.zip, demo.ppt and so on)
$FILE_IN_ARCHIVE - the name o the file inside the archive (for example otchet.doc, Storage0 and so on)

Q: I have an $MTA and mail filter installed on the server. 
Today I receive a message which reads as follows:
--- cut ---
This message was not delivered as an object breaking the restrictions set for archives has been found.

Sender = sender@domain.com
Recipients = receiver@domain.com
Subject =  Subject
Identificator =  msg-id-NNNN@domain.com

--- Dr.Web report ---
Detailed Dr.Web report:
...
drweb.tmp.60gkxo/$ARCHIVE_NAME/$FILE_IN_ARCHIVE - compression ratio is too high (2770944 : 
35154)
...

Dr.Web Scanning statistics:
Evaluation key used !
Archive restriction : 21
--- cut ---

What does it mean and what should I do in this situation?

A:
This means, that in drweb_$MTA.conf:
[Actions]
ArchiveRestriction = reject or quarantine

And in  drweb32.ini:

[Daemon]
...
The MaxCompressionRatio is less than 78 (divide 2770944 by 35154)

Below goes what you should do:
There are two solutions of the problem:
Á) Expand the MaxCompressionRatio (say, to 200-500) and restart the daemon. You can also comment the 
parameter (which means it should be infinite). But mind, that in this case an attack at your mail system with 
the aim to temporary disable it becomes possible; when a malefactor will send the so-called "mail bombs", 
their check will take a substantial time and a huge portion (or even all) disk space.

Â) Set ArchiveRestriction = pass 
In this case, the virus can be sent inside the archive, if it can be compressed more than the 
MaxCompressionRatio (a script virus, for example).

11) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I tried to bundle  Dr.Web with Postfix. The mail does not goes through at all. 
When I have checked the logs one line seemed suspicious
Jul 17 12:55:01 mailhub sendmail[29437]: h6H9t0sh029437: Authentication-Warning: host.domain.tld: drweb 
set sender
or:
Apr 20 17:32:31 mailhub sendmail[33617]: h3KDWVlV033617: from=name@example.com, size=38592, 
class=0, nrcpts=1, msgid=<msg-id4358035@example.com>, relay=drweb@localhost                                       
What can be the reason of the problem?

A: The reason lies in incorrect mail system setting:
sendmail[....]: .... - this log belongs to sendmail (www.sendmail.org), but not to the postfix substitutor of 
sendmail (it is supplied with postfix).
That is why in drweb_postfix.conf:
[Mailer]
Sendmail = ...
Set the path to the postfix substitutor of sendmail.
For example, if installed using the source code  it is located somewhere in /usr/libexec/postfix/sendmail

PS: By the way, it is quite strange that you have postfix, but in /usr/sbin the real sendmail is located.

12) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have drweb-sendmail-4.30 installed. From time to time the following error message is displayed:
Nov 9 22:55:49 mail drweb-smf: drweb_smf.c(667) - FATAL ERROR: cannot extract private data from 
context
Please, explain!

A: This is an error. To remove it, you can either
1. set drweb_smf.conf:
HeloInReceived = no

2. or upgrade the version.

13) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: When a message with a file attached is sent, the daemon checks all correctly, here goes an extract of the 
log:
Nov 5 14:59:27 relay sendmail[22756]: hA5CxRIm022756: from=<foo@example.com>, size=15600, 
class=0, nrcpts=1, msgid=<msg-id#@example.com>, proto=ESMTP, daemon=MTA, relay=domain.tld 
[10.0.0.1]

But, when the same message is sent, NAV checks out-going messages (the clinet from which I sent the 
message from) and the following is reported:

Nov 5 14:58:48 relay sendmail[22751]: hA5CwlIm022751:from=<foo@example.com>, size=0, class=0, 
nrcpts=1,proto=ESMTP, daemon=MTA, relay=domain.tld [10.0.0.2]
Nov 5 14:58:48 relay drweb-smf: [hA5CwlIm022751]: message from foo@example.com is aborted

A: NAV is trying, for some reason, (I don't know why) to send an empty message, i.e. it is completely empty 
and does not have any heading. Sendmail does not like it and it terminates the receipt of this message and 
notifies a filter about it. The filter simply ascertains the fact.  See also the question #5

14) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have drweb-4.29.5 installed. A strange thing happened: I received a mail with Gibe.2:

Wed Nov 12 08:56:20 2003 [1459] /var/spool/filter/drweb.tmp.HM5dmX/[text:html] - Ok                        
Wed Nov 12 08:56:20 2003 [1459] >>/var/spool/filter/drweb.tmp.HM5dmX/cgmgf.exe - Ok   

At the same time, on-line check (http://online.drweb.com):
...
cgmgf.exe packed by UPX
>cgmgf.exe infected with Win32.HLLM.Gibe.2
Scan report for "cgmgf.exe":
Scanned : 1 Cured : 0 
Infected : 1 Deleted : 0 
...

Here goes the daemon load log:

Wed Nov 12 04:02:07 2003 SIGHUP received, reloading...                                                     
Wed Nov 12 04:02:07 2003 Dr.Web (R) daemon for Linux, version 4.29.5 (January 6, 2003)                     
...
Wed Nov 12 04:02:08 2003 Key file: /opt/drweb/drwebd.key                                                   
Wed Nov 12 04:02:08 2003 Registration info:                                                                
Wed Nov 12 04:02:08 2003 0100000003                                                                        
Wed Nov 12 04:02:08 2003 Evaluation key ID Anti-virus Lab St.Petersburg                                    
Wed Nov 12 04:02:08 2003 Your registration key has expired!
...
Wed Nov 12 04:02:08 2003 This is an EVALUATION version with limited 
...

A: The demo-keys are issued:
Á) for a particular version, i.e. the key for another version will not be valid  
b) they are valid for a limited period of time (on 01.02.2004 this term equals to 1 year), 
after its expiration the key becomes void.
The cited error message says that the daemon will operate without the key, it will detect only the unpacked 
viruses. By the way, starting from version 4.30 the daemon will not be loaded if the valid key is not available.

And here is an explanation why the viruses are not detected. The first level MIME is unpacked without the 
key (this is an error of version 4.29.È), but all other checks follow the key permissions, accordingly, all 
archives (RAR, ZIP, etc.), and packers UPX, DIET, etc.) and attached MIMEs are not checked.

15) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have Dr.Web daemon + Dr.Web for CommuniGate Pro installed; the headings filtering is enabled 
(RuleFilter = on + RuleFitlerAlert = reject), but for some blocked messages notifications are not received 
by a sender, but the administrator receives two messages:

Subject: Rule rejected message
Date: Thu, 13 Nov 2003 17:18:02 +0300
From: DrWeb-DAEMON <DrWEB-DAEMON@example.com>
To: System Administrator <postmaster@example.com>

Sender = <> (may be forged)
Recipients = postmaster@example.com
...

A: This happens, if, among the rules, there are rules regulating the 
Subject: header. As CommuniGate Pro in the notification to a sender (and the administrator) uses the old header, 
the notifications have been also blocked by the filter.

16) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have Dr.Web for Sendmail (version prior to 4.30.1 or compiled from the source code) installed. 
Sometimes the filter terminates without any visible reasons. What can it be?

A: Yes, this may happen. The reason lies in the libmilter (written by the sendmail authors). It usually 
happens when the server is overloaded, then system logs may have the messages as follows:
Nov 20 19:54:09 name drweb-smf: Dr.WEB Sendmail filter VER: malloc(ctx) failed (12), abort
ÉÌÉ 
Nov 20 19:54:09 name drweb-smf: Dr.WEB Sendmail filter VER: thread_create() failed: 11, abort

Starting from version 4.30.1 we use the modified version of the libmilter. We also issued a patch for the 
original version of sendmail-8.12.9. There is no other way of solution of the problem so far.

Write to us if you believe this is not the reason of the  filter termination, we shall examine the case.

17) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have the Dr.Web mail filter installed. For the infected objects the discard action (Infected = discard) is 
set, but notifications are still received. Why?  I don't want them to be sent.

A: The actions set in the [Actions] section and the notifications set in the [...Notifications] sections work 
independently: the action is needed for the filter to know what to answer your mail server; the notifications 
may be sent not depending upon the action set (Exception: the pass action -
notifications are not sent). Thus, if you do not want to receive notifications you should disable them in the 
correspondent section. For your particular case:
[VirusNotifications]
SenderNotify = no
AdminNotify = no
RcptsNotify = no
...

18) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have installed your mail filter and sent a message with a virus (a friend of mine has given it to me). The 
virus was detected, but only the administrator has received a notification, though I have enabled notifications 
for all. Why is that?

A: Most likely, the notification policy for the virus you have sent, is changed in the configuration file 
/etc/drweb/viruses.conf (more precisely, with the help of the configuration file defined in the 
UnnotificableVirusesList parameter in the main configuration file).

19) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have Dr.Web Daemon & Dr.Web for Sendmail installed. The mail messages are not checked for viruses 
and the mail log has the following entries:
...
Nov 24 19:11:20 vulture sendmail[873]: /etc/mail/aliases: 37 aliases, longest 12 bytes, 423 bytes total
Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: milter_read(drweb-filter): cmd read returned 4, 
expecting 5
Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: Milter (drweb-filter): to error state
Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: Milter (drweb-filter): init failed to open
Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: Milter (drweb-filter): to error state
Nov 24 19:11:48 vulture sendmail[878]: hAO9Bmvr000878: from=<adm@test.ru>, size=803, class=0, 
nrcpts=1, msgid=<60270330044.20031124191101@100h.ru>, proto=ESMTP, daemon=MTA, 
relay=[192.168.*.**]
Nov 24 19:11:48 vulture sendmail[880]: hAO9Bmvr000878: to=<shest@test.ru>, ctladdr=<adm@test.ru> 
(1012/6), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31026, relay=local, dsn=2.0.0, stat=Sent

A:
You have connected the filter incorrectly. In sendmail.cf (.mc) you have defined the address of the daemon 
(drwebd), but you should define the address where the filter (drweb-smf) will wait for requests from sendmail 
- the same address is listed in the MilterAddress parameter in the [Mailer] section of file drweb_smf.conf. 
The daemon address is shown in drweb32.ini in the Socket parameter and in the Address parameter of the 
[DaemonCommunication] section of drweb_smf.conf.
Besides, to generate the correct additions to sendmail.cf (.mc)
And the script for the automatic filter startup you can use the {drweb}/doc/sendmail/configure utility.

20) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have received an interesting file called "something.jpg      .exe". The on-line check reports it is clean. 
Where can I check it?

A: There is an address for suspicious files and attachments:
newvirus@drweb.com. It is best to pack the suspicious file in the password-protected archive.
Please include the password and the brief information on your suspicions in the accompanying message.

21) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have installed a mail filter, but notifications are received by the administrator only, though in 
drweb_{mta}.conf:
...
[VirusNotification]
SenderNotify = yes
RcptsNotify = yes
AdminNotify = yes
...
the masks are specified and available. What is the reason of the problem?

A: The reason is that most viruses received through the mail are the so-called "worms", the notifications 
policy for such viruses is changed in viruses.conf (or in the file defined in drweb_{mta}.conf -> [Actions]
-> UnnotificableVirusesList) (the entry Win32.HLLM). The reason is that the "worms" usually spoof the 
sender's addresses and the recipient's address is randomly chosen (from the victim's address book, as a 
rule). That's why the notification to a sender is considered as a "spam".

22) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: It is difficult to understand what kind of program and license you offer is needed for?

A: At present, there are three types of programs available:
- scanner (drweb)
- daemon (drwebd)
- mail filters (drweb-smf, drweb-postfix, ...) 
  and file filters(smb_spider, drweb-icapd)

The scanner checks files on the drive. The list of files to be checked is either specified in the parameters, or 
is read from a standard input stream. You need a separate license for the scanner. 

Filters do not check themselves, they can only "intercept" the mail (CommuniGate, Sendmail, ... ) and files 
(Samba, Squid) from correspondent programs. 
There is no need in separate license for them. And more, the source codes for some of them are available at 
our site. Thus, without active daemon the filters are useless.


The Daemon checks the files on the drive and the data received through the network connections from filters 
or other programs on a special protocol. There are two types of licenses for the daemon - the "mail license" 
(it checks addresses and traffic) and the "file license". You need the "mail license" if the daemon will be 
bundled with mail filters.
You need the "file license" if the daemon will be bundled with file filters (Samba, Squid). 

PS: If the "file license" is purchased the daemon will NOT check the mail, and visa versa. You can buy both 
licenses with one key.

23) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: The FreeBSD 4.x (x =< 7) system. I have installed version 4.31 and receive:
/usr/local/drweb > ./drweb-smf.sh start
/usr/libexec/ld-elf.so.1: Undefined symbol "__stdoutp"
    referenced from COPY relocation in /usr/local/drweb/drweb-smf
What should I do?

A: Use drweb-smf.static, the same goes with other filters. 

24) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have installed Dr.Web Sendmail, but it does not check the mail. The daemon log reads:
===
Daemon is installed, active interfaces:  127.0.0.1:3000
Unknown command received: 13!
===
(asv: or, if the use of russian.dwl is enabled)
===
Daemon is loaded, active interfaces:  127.0.0.1:3000
Unknown command received: 13
===
What should I do?

A: Read the answer to question #19, your experience the same problem.

25) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: The FreeBSD system. The rules filter (RejectCondition) in daemon does not work if the Russian language 
is used in rules? What should I do?

A:  Firstly, the rules should be set in the KOI8-R encoding. 
Secondly, understand, that if the header you want to filter (for example, Subject:) is 8bit encoded (which 
means it breaks the standard for mail, as it must be encoded =?koi8-r?B?..?= or =?cp1251?Q?..?=, i.e. you 
have to specify the encoding), 
it will be compared without taking into account the encoding. Such messages (8bit encoded) can also be 
blocked by the filter:
RejectCondition Subject = "8bit"
And finally, the locale should be correctly set to KOI8-R for the user with whose rights the daemon is 
launched:

1. Add to file /etc/login.conf (though it is usually present):
#
# Russian Users Accounts. Setup proper environment variables.
#
russian:Russian Users Accounts:\
        :charset=KOI8-R:\
        :lang=ru_RU.KOI8-R:\
        :tc=default:

For updating /etc/login.conf.db:
# cap_mkdb /etc/login.conf

2. Now, the drweb user should indicate that it belongs to class russian:
# pw usermod drweb -L russian

3. Sometimes it is necessary, in the daemon launching script, to add before the line "case "$1" in"

LC_ALL=ru_RU.KOI8-R
export LC_ALL

4. Restart the daemon...

26) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I decided to check the Dr.Web filter at http://www.testvirus.org, but in 25 tests made Dr.Web have missed 
some variants. What can you say to that?

A: As on May 19, 2004, as the site could have changed, and the tests as well, we have missed the following 
tests:

Test #12: Eicar virus within a password protected ZIP file
Test #24: Test for the "Partial (Fragmented) Vulnerability". This does not include Eicar virus, 
          but your mail server still must block this since it can break a virus into multiple 
          emails and reassemble it in your inbox.

- It may be blocked, if the SkipObject option is switched from pass to any other action
Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)

- The TNEF format is not parsed at present.

Test #25: Attachment with a CLSID extension, which may hide the real file extension. This does not 
          include the Eicar virus, but your mail server still must block this since it can hide the true extension of 
a file

- The message does not contain a viral code.

Test #16: Eicar string in HTML, to ensure that your mail server scans HTML segments
Test #19: Eicar virus within zip file hidden using the "Blank Folding Vulnerability"
Test #21: Eicar virus within zip file hidden using the "Long MIME Boundary Vulnerability"
Test #23: Eicar virus within zip file hidden using the "Empty MIME Boundary Vulnerability"

- Being such, the virus is not dangerous and will not proliferate, it can simply be called a garbage. 
By the way, in samples #16 and #21 the scanner does detect the virus, but the daemon parses the mail 
more quickly and simply.

27) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: After the usual update the version 4.29.2 (or 4.29.5) has become unstable under high load (large number 
of messages) Why?

A: The problem does not lie in bases, (this can easily be checked if to launch the daemon from the main 
base only and the "problem" update); this is an error of version 4.29 (particularly, of drweb32.dll of version 
4.29). Thus, the upgrade is the only possible solution, as we do not issue fixes for old versions. The reason 
is explained in question #0.

28) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I've installed Dr.Web Daemon and Dr.Web Filter for Sendmail. It seems to be configured
properly but filter doesn't run and I see folling messages in /var/log/messages:

Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to bind to port 3000@localhost: Address already in use
Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to create listening socket on conn 3000@localhost

or

Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to bind to port local:/var/drweb/run/.daemon: Address already in use
Jun 10 13:24:04 host drweb-smf: Dr.Web (R) Filter for sendmail ver.4.32: Unable to create listening socket on conn local:/var/drweb/run/.daemon

A: You have speficied Dr.Web Daemons connections definition in option MilterAddress (section
[Mailer] of drweb_smf.conf) instead definition of connection is used for communication
between filter and sendmail (this definition also is specified in sendmail.cf). So you 
should have something like this:
in drweb32.ini
Socket = 3000 localhost

in drweb_smf.conf:
[DaemonCommunication]
Address = inet:3000@localhost
...
[Mailer]
...
MilterAddress = inet:3001@localhost

and in sendmail.cf:
Xdrweb-filter,  S=inet:3001@localhost, F=T, T=C:1m;S:5m;R:5m;E:1h

29) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I have installed Dr.Web daemon and mail filter. Sometimes I receive alerts about
unchecked messages with reason:
===
The filter cannot connect to the DrWEB daemon
===
What can I do to avoid this problem ?

A: We have known two general reason for this problem:
a) Daemons incoming queue overflows if load has sharply increased.
b) Daemon is not ready for some reasons.
So you have two ways to avoid these problems. Second way more general and reliable.
i) Use two or more sockets for communication between daemon and filter. 
Configurations example:
drweb32.ini:
Socket = /var/drweb/run/.drwebd
Socket = 3000 localhost

drweb_{mta}.conf:  ({mta} = smf, cgp, postfix, exim, qmail, zmailer, courier or mio)
[DaemonCommunication]
Address = local:/var/drweb/run/.drwebd, inet:3000@localhost

ii) Use reserved daemon (on same host or on another host that more reliable) would 
smooth load burstness or works while first daemon is not ready.
Configurations example:
drweb_{mta}.conf:  ({mta} = smf, cgp, postfix, exim, qmail, zmailer, courier or mio)
[DaemonCommunication]
Address = local:/var/drweb/run/.drwebd, inet:3000@another.myhost.example.com

NOTE: LocalScan mode is not available for second socket in filter even if socket
is used by daemon is installed on same host. 
See daemon and filter documentation for details.

30) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Q: I've installed the 4.32 version of Dr.Web for mail servers. I has received 
strange notification:

Dear User,

the message with following attributes has not been delivered, 
because contains an object which cannot be checked by antivirus filter. 
Relaying such messages is blocked by administrator.

Sender = $SENDER$
Recipients = $RCPTS$
Subject = $SUBJECT$
Message-ID = $MSGID$

Antivirus filter report:
--- Dr.Web report ---
Dr.Web detailed report:
drweb.tmp.rQ8gYw - partial message, skipped

--- Dr.Web report ---

Please contact <postmaster>

but I know that message has been delivered, and I've following settings:
[Scanning]
SkipObject = pass

[SkipNotifications]
SenderNotify = yes
AdminNotify = no
RcptsNotify = no
SenderTemplate = /etc/drweb/templates/en-ru/sendmail/skip-sender.msg
AdminTemplate = 
RcptsTemplate = 

Is this a bug ?

A: No. Since 4.32, a notification is written independently from a taken action 
for a message. Now only one control mechanism - [SkipNotifications] section in 
the drweb_{mta}.conf, in previous versions, there are no notifications if
action was 'pass'. Of course, default templates were written for actions
reject\discard. 

I believe You'd received this message as administrator not as
sender\recipient. You can check the last part in this notification for
headers of the original message.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Author: Sergey Akhapkin <asv@drweb.com>

$Revision: 1.3 $ 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~