efa-project.org

1. Download the laste version of F-Prot on this page : http://www.f-prot.com/download/home_use ... linux.html
2. Untar package :
3. Install F-Prot :
4. When the installation is terminated, you can test F-Prot Scanner :
Yo can see product version and date of database signature :

F-PROT Antivirus CLS version 6.7.10.6267, 32bit (built: 2012-03-27T12-34-14)


FRISK Software International (C) Copyright 1989-2011
Engine version: 4.6.5.141
Arguments: --version
Virus signatures: 201511300810
(/opt/f-prot/antivir.def)

5. Now, edit the file /etc/MailScanner/MailScanner.conf and at the line Virus Scannersn add f-prot-6 (we use version 6) :
6. To apply modification, restart Mail Scanner Service :
----------------------------------------------------------------------------------------------------------
Now, Mail Scanner use ClamAV and F-Prot to scan attachements
----------------------------------------------------------------------------------------------------------.

To verify, you can create a virus test sample file and send this by mail :

1. Disable antivirus on your computer.

2. Open text editor and past :
Source : http://www.eicar.org/86-0-Intended-use.html

and save the file "eicar", without extension for example...

3. Send the attachement (from exterior mail server, you can use https://emkei.cz/ for example) to a mailbox of your network.

4. You can see on the console or in warning attachement file text, mail scanner use ClamAV & F-Prot :
Enjoy

Yes, but at now in 2 days of scan i have 100 viruses found by clam, 200 found by sophos, 1 found by avg and 0 found by fprot
you not ?

It's strange.
I think you've got a problem on your installation.

Can you go on /opt/f-prot and see the version :

This is my output :
F-PROT Antivirus CLS version 6.7.10.6267, 32bit (built: 2012-03-27T12-34-14)
FRISK Software International (C) Copyright 1989-2011
Engine version: 4.6.5.141
Arguments: --version
Virus signatures: 201512010127
(/opt/f-prot/antivir.def)

These are detection (in some case overlapping more that one scanner) excluding eicar :


Date____________Sophos ___Clam ____ Avg ____ FProt
2015-12-01 _____ 104 ______ 6 _______ 2 ______ 0
2015-11-30 _____ 124 ______ 4 _______ 0 ______ 0

have you restart MailScanner service after add f-prot-6 in MailScanner.conf ?

Lots of times, consider that FProt can find eicar test if i send an email containing it

you can create eicar file on your EFA and try local analyse to see if f-prot detect this.

to scan :
And it's OK, you can test by mail.

On rep_viruses.php (Virus Report), I not see F-Prot, but it works !
When I see a test mail, F-Prot detect the eicar file.

Yes, FPROT detect Eicar file but at now in 2 days it have not detected any virus

I think it works but you've not the report...

I not need report, i make query of non empty fields in mysql and detections are eicar only

I'm sorry, I can't say more

I think that, at now fprot and also avg have not encountered virus contained in its patterns
i think that clam and sophos are better, i take avg and fprot for some time and then i decide

i also tried Others software but are not free

Do you know Others antivirus free ?

A FREE antivirus for unix is COMODO, but there is no wrapper, do you want to try it ?

you can try avast...

I was unable to find AVAST FREE 4 linux

Today results
Only field specify the number of viruses found only by the scanner in previous column

just curios with which scanners are you guys still scanning?
anyone managed to use comodo: https://www.comodo.com/home/internet-se ... track=8251

I'm only using clamav + unofficial signatures and sophos.

I think o have tried all, including comodo, but i was able to run only clam and sophos
also avg runs but it give too few extra hit so i dont use it

Hi Nicola,

Is that your final configuration, only Sophos and ClamAV?

Yes, Sophos and Clamav
When I receive it pass on Exchange that have TrendMicro
I configured TrendMicro to send me an email when it found an infection that was not found by EFA
Sometimes occurs
The best thing will be a plugin that submit to virustotal all attachments

Last question: Your AV report (Total, Sophos, Only, Clam, Only...). Did you write that report yourself? If so, do you think you could share it?

I finally got off my ass and installed Sophos, so now I'd like to see the results.

Thanks Nicola!

These are my scores, day by day (in italian)
For each day there is Totale (Total) of viruses found in efa
Then Sophos detections and Only means viruses found only by sophos and not by Clam
Same thing with Clam column
We can say that sophos is little better than clam but toghether give a great results

In past i used also AVG but AVG Only column was Always at 0, sometimes have some extra detection, so i decided to non use it, version is outdated so it use cpu unneeded

Is very simple php that you can add to menu and put where you want
Obviuusly when efa changes you need to add newly to menu


<?php

/*
MailWatch for MailScanner
Copyright (C) 2003-2011 Steve Freegard (steve@freegard.name)
Copyright (C) 2011 Garrod Alwood (garrod.alwood@lorodoes.com)
Copyright (C) 2014-2015 MailWatch Team (https://github.com/orgs/mailwatch/teams/team-stable)

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

In addition, as a special exception, the copyright holder gives permission to link the code of this program
with those files in the PEAR library that are licensed under the PHP License (or with modified versions of those
files that use the same license as those files), and distribute linked combinations including the two.
You must obey the GNU General Public License in all respects for all of the code used other than those files in the
PEAR library that are licensed under the PHP License. If you modify this program, you may extend this exception to
your version of the program, but you are not obligated to do so.
If you do not wish to do so, delete this exception statement from your version.

As a special exception, you have permission to link this program with the JpGraph library and
distribute executables, as long as you follow the requirements of the GNU GPL in regard to all of the software
in the executable aside from JpGraph.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/


// Include of necessary functions
/* require_once("./functions.php"); */
/* require_once("./filter.inc"); */
require_once(__DIR__ . '/functions.php');
require_once(__DIR__ . '/filter.inc.php');

// Authentication checking
session_start();
/* require('login.function.php'); */
require(__DIR__ . '/login.function.php');


// add the header information such as the logo, search, menu, ....
$filter = html_start("* Comet - Analisi Virus", 0, false, true);


$sql = "
SELECT date AS Data,
COUNT(*) AS Totale,
SUM(IF(report LIKE '%Sophos%', 1, 0)) AS Sophos,
SUM(IF(report LIKE '%Sophos%' AND report NOT LIKE '%Clamd%' AND report NOT LIKE '%F-Prot%', 1, 0)) AS SophosOnly,
SUM(IF(report LIKE '%Clamd%', 1, 0)) AS Clam,
SUM(IF(report LIKE '%Clamd%' AND report NOT LIKE '%Sophos%' AND report NOT LIKE '%F-Prot%', 1, 0)) AS ClamOnly,
SUM(IF(report LIKE '%F-Prot%', 1, 0)) AS FProt,
SUM(IF(report LIKE '%F-Prot%' AND report NOT LIKE '%Sophos%' AND report NOT LIKE '%Clamd%' , 1, 0)) AS FProtOnly
FROM maillog WHERE virusinfected > 0
AND report NOT LIKE '%EICAR%' GROUP BY date DESC;
";
$result = dbquery($sql);
//if (!mysql_num_rows($result) > 0) {
// die("Error: no rows retrieved from database\n");
//}
while ($row = mysql_fetch_object($result)) {
$data[] = $row->Data;
$data2[] = $row->Totale;
$data3[] = $row->Sophos;
$data4[] = $row->SophosOnly;
$data5[] = $row->Clam;
$data6[] = $row->ClamOnly;
$data7[] = $row->FProt;
$data8[] = $row->FProtOnly;
}
echo "<TABLE BORDER=\"0\" CELLPADDING=\"10\" CELLSPACING=\"0\" WIDTH=\"100%\">";
echo "<TR style=\"font-size:13px\">";
echo "<TD ALIGN=\"CENTER\"><b>Analisi efficienza motori antivirus</b><br><br>";
echo "<TABLE WIDTH=\"500\" CELLPADDING=2>";
echo "<TR style=\"font-size:13px\">";
echo "<TH BGCOLOR=FFAD33>Data</TH>";
echo "<TH BGCOLOR=ADAD85>Totale</TH>";
echo "<TH BGCOLOR=ADAD85>Sophos</TH>";
echo "<TH BGCOLOR=ADAD85>Only</TH>";
echo "<TH BGCOLOR=ADAD85>Clam</TH>";
echo "<TH BGCOLOR=ADAD85>Only</TH>";
echo "</TR>";
for ($i = 0; $i < count($data); $i++) {


echo "<TR style=\"font-size:12px\">
<TD BGCOLOR=FFD699><b>$data[$i]</b></TD>
<TD BGCOLOR=D6D6C2><b>$data2[$i]</b></TD>
<TD BGCOLOR=D6D6C2><b>$data3[$i]</b></TD>
<TD BGCOLOR=D6D6C2>$data4[$i]</TD>
<TD BGCOLOR=D6D6C2><b>$data5[$i]</b></TD>
<TD BGCOLOR=D6D6C2>$data6[$i]</TD>
</TR>\n";
}
echo "</TABLE>
</TD>
</TR>
</TABLE>";


// Add footer
html_end();
// Close any open db connections
dbclose();

Thanks, I've put this into /var/www/html/mailscanner/virus-stats.php and I can open it and it works but how would I add it to mailwatch's menu so I don't have to always open the URL directly?