Installation F-Prot Free Antivirus to scan attachements

Questions and answers about how to do stuff
woundride
Posts: 51
Joined: 19 Mar 2015 14:34
Location: France
Contact:

Installation F-Prot Free Antivirus to scan attachements

Post by woundride »

1. Download the laste version of F-Prot on this page : http://www.f-prot.com/download/home_use ... linux.html

Code: Select all

wget http://files.f-prot.com/files/unix-trial/fp-Linux.x86.32-ws.tar.gz
2. Untar package :

Code: Select all

tar xvzf fp-Linux.x86.32-ws.tar.gz
3. Install F-Prot :

Code: Select all

cd /f-prot/
./install-f-prot.pl
4. When the installation is terminated, you can test F-Prot Scanner :

Code: Select all

cd /opt/f-prot/
./fpscan /etc/passwd
Yo can see product version and date of database signature :

Code: Select all

cd /opt/f-prot/
./fpscan --version
F-PROT Antivirus CLS version 6.7.10.6267, 32bit (built: 2012-03-27T12-34-14)


FRISK Software International (C) Copyright 1989-2011
Engine version: 4.6.5.141
Arguments: --version
Virus signatures: 201511300810
(/opt/f-prot/antivir.def)

5. Now, edit the file /etc/MailScanner/MailScanner.conf and at the line Virus Scannersn add f-prot-6 (we use version 6) :

Code: Select all

Virus Scanners = clamd f-prot-6
6. To apply modification, restart Mail Scanner Service :

Code: Select all

service MailScanner restart
----------------------------------------------------------------------------------------------------------
Now, Mail Scanner use ClamAV and F-Prot to scan attachements ;)
----------------------------------------------------------------------------------------------------------.

To verify, you can create a virus test sample file and send this by mail :

1. Disable antivirus on your computer.

2. Open text editor and past :

Code: Select all

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Source : http://www.eicar.org/86-0-Intended-use.html

and save the file "eicar", without extension for example...

3. Send the attachement (from exterior mail server, you can use https://emkei.cz/ for example) to a mailbox of your network.

4. You can see on the console or in warning attachement file text, mail scanner use ClamAV & F-Prot :

Code: Select all

Clamd: message was infected: Eicar-Test-Signature
F-Prot6: [Found virus] <EICAR_Test_File (exact)> eicar
Enjoy ;)
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

Yes, but at now in 2 days of scan i have 100 viruses found by clam, 200 found by sophos, 1 found by avg and 0 found by fprot
you not ?
woundride
Posts: 51
Joined: 19 Mar 2015 14:34
Location: France
Contact:

Re: Installation F-Prot Free Antivirus to scan attachements

Post by woundride »

It's strange.
I think you've got a problem on your installation.

Can you go on /opt/f-prot and see the version :

Code: Select all

./fpscan --version
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

This is my output :
F-PROT Antivirus CLS version 6.7.10.6267, 32bit (built: 2012-03-27T12-34-14)
FRISK Software International (C) Copyright 1989-2011
Engine version: 4.6.5.141
Arguments: --version
Virus signatures: 201512010127
(/opt/f-prot/antivir.def)


These are detection (in some case overlapping more that one scanner) excluding eicar :


Date____________Sophos ___Clam ____ Avg ____ FProt
2015-12-01 _____ 104 ______ 6 _______ 2 ______ 0
2015-11-30 _____ 124 ______ 4 _______ 0 ______ 0
woundride
Posts: 51
Joined: 19 Mar 2015 14:34
Location: France
Contact:

Re: Installation F-Prot Free Antivirus to scan attachements

Post by woundride »

have you restart MailScanner service after add f-prot-6 in MailScanner.conf ?
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

Lots of times, consider that FProt can find eicar test if i send an email containing it
woundride
Posts: 51
Joined: 19 Mar 2015 14:34
Location: France
Contact:

Re: Installation F-Prot Free Antivirus to scan attachements

Post by woundride »

you can create eicar file on your EFA and try local analyse to see if f-prot detect this.

to scan :

Code: Select all

./fpscan /dir/eicar_file
And it's OK, you can test by mail.
woundride
Posts: 51
Joined: 19 Mar 2015 14:34
Location: France
Contact:

Re: Installation F-Prot Free Antivirus to scan attachements

Post by woundride »

On rep_viruses.php (Virus Report), I not see F-Prot, but it works !
When I see a test mail, F-Prot detect the eicar file.
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

Yes, FPROT detect Eicar file but at now in 2 days it have not detected any virus
woundride
Posts: 51
Joined: 19 Mar 2015 14:34
Location: France
Contact:

Re: Installation F-Prot Free Antivirus to scan attachements

Post by woundride »

I think it works but you've not the report...
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

I not need report, i make query of non empty fields in mysql and detections are eicar only
woundride
Posts: 51
Joined: 19 Mar 2015 14:34
Location: France
Contact:

Re: Installation F-Prot Free Antivirus to scan attachements

Post by woundride »

I'm sorry, I can't say more :confusion-shrug:
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

I think that, at now fprot and also avg have not encountered virus contained in its patterns
i think that clam and sophos are better, i take avg and fprot for some time and then i decide

i also tried Others software but are not free :(

Do you know Others antivirus free ?

A FREE antivirus for unix is COMODO, but there is no wrapper, do you want to try it ?
woundride
Posts: 51
Joined: 19 Mar 2015 14:34
Location: France
Contact:

Re: Installation F-Prot Free Antivirus to scan attachements

Post by woundride »

you can try avast...
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

I was unable to find AVAST FREE 4 linux
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

Today results
Only field specify the number of viruses found only by the scanner in previous column
Cattura.PNG
Cattura.PNG (4.42 KiB) Viewed 634989 times
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Installation F-Prot Free Antivirus to scan attachements

Post by ovizii »

just curios with which scanners are you guys still scanning?
anyone managed to use comodo: https://www.comodo.com/home/internet-se ... track=8251

I'm only using clamav + unofficial signatures and sophos.
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

I think o have tried all, including comodo, but i was able to run only clam and sophos
also avg runs but it give too few extra hit so i dont use it
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Installation F-Prot Free Antivirus to scan attachements

Post by pdwalker »

Hi Nicola,

Is that your final configuration, only Sophos and ClamAV?
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

Yes, Sophos and Clamav
When I receive it pass on Exchange that have TrendMicro
I configured TrendMicro to send me an email when it found an infection that was not found by EFA
Sometimes occurs
The best thing will be a plugin that submit to virustotal all attachments :-)
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Installation F-Prot Free Antivirus to scan attachements

Post by pdwalker »

Last question: Your AV report (Total, Sophos, Only, Clam, Only...). Did you write that report yourself? If so, do you think you could share it?

I finally got off my ass and installed Sophos, so now I'd like to see the results.

Thanks Nicola!
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

These are my scores, day by day (in italian)
For each day there is Totale (Total) of viruses found in efa
Then Sophos detections and Only means viruses found only by sophos and not by Clam
Same thing with Clam column
We can say that sophos is little better than clam but toghether give a great results

In past i used also AVG but AVG Only column was Always at 0, sometimes have some extra detection, so i decided to non use it, version is outdated so it use cpu unneeded
Cattura.PNG
Cattura.PNG (44.28 KiB) Viewed 633291 times
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Installation F-Prot Free Antivirus to scan attachements

Post by nicola.piazzi »

Is very simple php that you can add to menu and put where you want
Obviuusly when efa changes you need to add newly to menu


<?php

/*
MailWatch for MailScanner
Copyright (C) 2003-2011 Steve Freegard (steve@freegard.name)
Copyright (C) 2011 Garrod Alwood (garrod.alwood@lorodoes.com)
Copyright (C) 2014-2015 MailWatch Team (https://github.com/orgs/mailwatch/teams/team-stable)

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

In addition, as a special exception, the copyright holder gives permission to link the code of this program
with those files in the PEAR library that are licensed under the PHP License (or with modified versions of those
files that use the same license as those files), and distribute linked combinations including the two.
You must obey the GNU General Public License in all respects for all of the code used other than those files in the
PEAR library that are licensed under the PHP License. If you modify this program, you may extend this exception to
your version of the program, but you are not obligated to do so.
If you do not wish to do so, delete this exception statement from your version.

As a special exception, you have permission to link this program with the JpGraph library and
distribute executables, as long as you follow the requirements of the GNU GPL in regard to all of the software
in the executable aside from JpGraph.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/


// Include of necessary functions
/* require_once("./functions.php"); */
/* require_once("./filter.inc"); */
require_once(__DIR__ . '/functions.php');
require_once(__DIR__ . '/filter.inc.php');

// Authentication checking
session_start();
/* require('login.function.php'); */
require(__DIR__ . '/login.function.php');


// add the header information such as the logo, search, menu, ....
$filter = html_start("* Comet - Analisi Virus", 0, false, true);


$sql = "
SELECT date AS Data,
COUNT(*) AS Totale,
SUM(IF(report LIKE '%Sophos%', 1, 0)) AS Sophos,
SUM(IF(report LIKE '%Sophos%' AND report NOT LIKE '%Clamd%' AND report NOT LIKE '%F-Prot%', 1, 0)) AS SophosOnly,
SUM(IF(report LIKE '%Clamd%', 1, 0)) AS Clam,
SUM(IF(report LIKE '%Clamd%' AND report NOT LIKE '%Sophos%' AND report NOT LIKE '%F-Prot%', 1, 0)) AS ClamOnly,
SUM(IF(report LIKE '%F-Prot%', 1, 0)) AS FProt,
SUM(IF(report LIKE '%F-Prot%' AND report NOT LIKE '%Sophos%' AND report NOT LIKE '%Clamd%' , 1, 0)) AS FProtOnly
FROM maillog WHERE virusinfected > 0
AND report NOT LIKE '%EICAR%' GROUP BY date DESC;
";
$result = dbquery($sql);
//if (!mysql_num_rows($result) > 0) {
// die("Error: no rows retrieved from database\n");
//}
while ($row = mysql_fetch_object($result)) {
$data[] = $row->Data;
$data2[] = $row->Totale;
$data3[] = $row->Sophos;
$data4[] = $row->SophosOnly;
$data5[] = $row->Clam;
$data6[] = $row->ClamOnly;
$data7[] = $row->FProt;
$data8[] = $row->FProtOnly;
}
echo "<TABLE BORDER=\"0\" CELLPADDING=\"10\" CELLSPACING=\"0\" WIDTH=\"100%\">";
echo "<TR style=\"font-size:13px\">";
echo "<TD ALIGN=\"CENTER\"><b>Analisi efficienza motori antivirus</b><br><br>";
echo "<TABLE WIDTH=\"500\" CELLPADDING=2>";
echo "<TR style=\"font-size:13px\">";
echo "<TH BGCOLOR=FFAD33>Data</TH>";
echo "<TH BGCOLOR=ADAD85>Totale</TH>";
echo "<TH BGCOLOR=ADAD85>Sophos</TH>";
echo "<TH BGCOLOR=ADAD85>Only</TH>";
echo "<TH BGCOLOR=ADAD85>Clam</TH>";
echo "<TH BGCOLOR=ADAD85>Only</TH>";
echo "</TR>";
for ($i = 0; $i < count($data); $i++) {


echo "<TR style=\"font-size:12px\">
<TD BGCOLOR=FFD699><b>$data[$i]</b></TD>
<TD BGCOLOR=D6D6C2><b>$data2[$i]</b></TD>
<TD BGCOLOR=D6D6C2><b>$data3[$i]</b></TD>
<TD BGCOLOR=D6D6C2>$data4[$i]</TD>
<TD BGCOLOR=D6D6C2><b>$data5[$i]</b></TD>
<TD BGCOLOR=D6D6C2>$data6[$i]</TD>
</TR>\n";
}
echo "</TABLE>
</TD>
</TR>
</TABLE>";


// Add footer
html_end();
// Close any open db connections
dbclose();
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Installation F-Prot Free Antivirus to scan attachements

Post by ovizii »

Thanks, I've put this into /var/www/html/mailscanner/virus-stats.php and I can open it and it works but how would I add it to mailwatch's menu so I don't have to always open the URL directly?
Post Reply