Thoughts about finding viruses in email inboxes
Leonard Chatagnier
lenc5570 at sbcglobal.net
Sun Apr 5 04:06:17 UTC 2009
Leonard Chatagnier
lenc5570 at sbcglobal.net
--- On Sat, 4/4/09, David M. Karr <davidmichaelkarr at gmail.com> wrote:
> From: David M. Karr <davidmichaelkarr at gmail.com>
> Subject: Re: Thoughts about finding viruses in email inboxes
> To: "Ubuntu user technical support, not for general discussions" <ubuntu-users at lists.ubuntu.com>
> Date: Saturday, April 4, 2009, 9:56 PM
> <div id=yiv1700123675><!DOCTYPE html PUBLIC
> "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>
> </head>
>
> Leonard Chatagnier wrote:
> <blockquote
> type="cite">
> <pre>
>
> --- On Sat, 4/4/09, David M. Karr <a
> rel="nofollow"
> class="moz-txt-link-rfc2396E"
> target="_blank"
> href="mailto:davidmichaelkarr at gmail.com"><davidmichaelkarr at gmail.com></a>
> wrote:
>
> </pre>
> <blockquote type="cite">
> <pre>From: David M. Karr <a
> rel="nofollow"
> class="moz-txt-link-rfc2396E"
> target="_blank"
> href="mailto:davidmichaelkarr at gmail.com"><davidmichaelkarr at gmail.com></a>
> Subject: Re: Thoughts about finding viruses in email
> inboxes
> To: "Ubuntu user technical support, not for general
> discussions" <a rel="nofollow"
> class="moz-txt-link-rfc2396E"
> target="_blank"
> href="mailto:ubuntu-users at lists.ubuntu.com"><ubuntu-users at lists.ubuntu.com></a>
> Date: Saturday, April 4, 2009, 6:07 PM
> <div id=yiv1158907843><!DOCTYPE html PUBLIC
> "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>
> </head>
>
> NoOp wrote:
> <blockquote type="cite">
> <pre>On 03/29/2009 12:13 PM, David M. Karr wrote:
> </pre>
> <blockquote type="cite">
> <pre>Ok, I can see that there's one detail
> that I didn't specifically say
> here. I thought it was obvious, so I didn't mention
> it. I think it
> wasn't obvious to some of you.
>
> I'm not having trouble with clamav telling me what FILE
> a virus is in.
> The report is clear on that. The problem is that the IMAP
> INBOX file is
> a formatted file containing many email messages. What
> I'm looking for
> is some sort of ability to introspect into the mailbox
> format in the
> clamav report so that I can tell which email message
> contains the
> virus. I certainly am not going to run clamav in
> "auto-remove" mode, as
> it would remove my entire inbox.
> </pre>
> </blockquote>
> <pre>
> David, BitDefender for Unices, at least on POP3 mailbox
> files, will tell
> you the exact msg number, the subject of the email(s), and
> the time
> stamp on the email(s) within the file. I expect that it
> will do the same
> for an IMAP file. I don't have an IMAP so I can't
> test.
>
> I just test scanned an email archive with both clamav and
> BitDefender;
> result was that clamav identified 4 issues that supposedly
> contained:
> 'Phishing.Heuistics.Email.SpoofedDomain and
> Email.Phishing.DblDom-138' no trojans or viri found.
> ClamAV entirely
> missed trojan signatures in the files. Further, clamav
> didn't provide
> any further information beyond the file location and the
> above.
>
> BitDefender not only properly found folders with a trojan
> signature
> ('Trojan.Iframe.AV'), but also identified exactly
> which emails within
> the 17+MB file were at issue. I was then able to open up
> the file in
> gedit, identify the the emails within the file by subject
> & time stamp,
> and edit them out by hand. I could have of course opened
> the file in
> SeaMonkey (my email client) and deleted them that way as I
> know the
> exact msg numbers, subjects and times. I happen to know
> exactly what the
> trojan signatures were/are in the archived email file as
> they were
> emails that I had sent/received regarding that particular
> Iframe
> exploit, so there was no false positive.
>
> I very much recommend exploring BitDefender - see my post
> to Leonard in
> this thread for links etc. You can use cli or gui, set cron
> scans, scan
> incoming on Evolution, Pine, etc., use scripts, scan across
> Samba, etc.
> It's (IMO) worth a look. 32bit and 64bit versions are
> available.
> Disclaimer: I also use BD comercial licenses to scan
> Windows servers for
> my customers for years, and my personal use machines (linux
> and
> windows); beyond that I've no other relationship with
> BD.
>
>
> </pre>
> </blockquote>
> I accidentally lost the reply you added after this, but I
> read it in
> the archives.<br>
> <br>
> As I suspected, there seems to be some issue with the
> variation of
> BitDefender that I installed. I followed the
> instructions at <<a rel="nofollow"
> target="_blank"
> href=<a rel="nofollow"
> class="moz-txt-link-rfc2396E"
> target="_blank"
> href="http://download.bitdefender.com/repos/#">"http://download.bitdefender.com/repos/#"</a>><a
> rel="nofollow"
> class="moz-txt-link-freetext"
> target="_blank"
> href="http://download.bitdefender.com/repos/#">http://download.bitdefender.com/repos/#</a></a>>,
> but I don't have a "BitDefender" entry in
> "Applications"->"System
> Tools", and I don't have a "bdgui"
> executable. The following is the
> contents of "/opt/BitDefender/bin":<br>
> <br>
> davidkarr at davidkarr-desktop$ ls
> /opt/BitDefender/bin<br>
> ./
> bdcharts*
> bdlived*
> bdmond* bdsafe.bin* bdsu*<br>
> ../
> bdcourier*
> bdlogd* bdqmail*
> bdscand*
> common-setup.sh*<br>
> bd*
> bdemagentd*
> bdmaild* bdregd*
> bdsmtpd*
> mail-setup.sh*<br>
> bdcgated* bdemclientd* bdmilterd*
> bdsafe@ bdsnmpd*<br>
> <br>
> I have no "update-menus" executable (I looked
> everywhere), if that's
> relevant.<br>
> <br>
>
> </pre>
> </blockquote>
> <pre>I'm not real sure what you are looking for
> but I know that NoOP is gone for the weekend, sailing, and
> wont be back until Monday. If you are looking for the cli
> commands for BD they are:
>
> bdscan for the cli and
> bdgui for the gui but starting it from the cli. The menu
> item for BDSCAN is called Antimalware Scanner and just below
> the main title is Bit Defender Scanner greyed out. It had a
> red icon globe that is serated. At least that is how it
> appears on my Intrepid Kubuntu desktop using the 64 bit
> version. Use the above cli commands with the --help option
> to see what the available options are or read the manuals.
> I'm not sure but it appears that you downloaded BD from
> their site. You can download it from ubuntu by adding the
> following to your sources.list or in software sources:
> deb <a rel="nofollow"
> class="moz-txt-link-freetext"
> target="_blank"
> href="http://download.bitdefender.com/repos/deb/">http://download.bitdefender.com/repos/deb/</a>
> bitdefender non-free
>
> I can attest that BD is significantly faster scanning than
> clamscan is as NoOp pointed out. HTH.
>
> Leonard Chatagnier
> <a rel="nofollow"
> class="moz-txt-link-abbreviated"
> target="_blank"
> href="mailto:lenc5570 at sbcglobal.net">lenc5570 at sbcglobal.net</a>
>
>
> </pre>
> </blockquote>
> I followed the instructions at
> <a rel="nofollow"
> class="moz-txt-link-rfc2396E"
> target="_blank"
> href="http://download.bitdefender.com/repos/#"><http://download.bitdefender.com/repos/#></a>
> , which references the
> line you refer to. It didn't give me any of the
> command-line tools.<br>
>
>
I can't tell from your reply just what you did which makes it hard to be of any help.
BTW, please don't post in HTML or Rich Text. Use plain text for list mail.
I asked you to add the following line to your /etc/apt/sources.list file:
deb http://download.bitdefender.com/repos/deb/ bitdefender non-free
Did you? It's all one line. If you did, then you need to also run:
sudo aptitude update and
sudo aptitude install bitdefender-scanner bitdefender-scanner-gui
That's two programs to install and the detail on how to do it. You would also be advised to uninstall what you've done so far installing BD to be safe. Once you've done the above, the cli commands I gave you in an earlier reply should work but you need to read the man pages to see what options you want to run with bdscan. bdgui will start the gui interface from the command line but you will still need to read it manual to learn how to use it.
More information about the ubuntu-users
mailing list