Thoughts about finding viruses in email inboxes

Ray Parrish crp at cmc.net
Sun Apr 5 07:00:54 UTC 2009 

David M. Karr wrote:
> Leonard Chatagnier wrote:
>> --- On Sat, 4/4/09, David M. Karr <davidmichaelkarr at gmail.com> wrote:
>>
>>   
>>> From: David M. Karr <davidmichaelkarr at gmail.com>
>>> Subject: Re: Thoughts about finding viruses in email inboxes
>>> To: "Ubuntu user technical support, not for general discussions" <ubuntu-users at lists.ubuntu.com>
>>> Date: Saturday, April 4, 2009, 6:07 PM
>>> <div id=yiv1158907843><!DOCTYPE html PUBLIC
>>> "-//W3C//DTD HTML 4.01 Transitional//EN">
>>> <html>
>>> <head>
>>>   
>>> </head>
>>>  
>>> NoOp wrote:
>>> <blockquote type="cite">
>>>   <pre>On 03/29/2009 12:13 PM, David M. Karr wrote:
>>>   </pre>
>>>   <blockquote type="cite">
>>>     <pre>Ok, I can see that there's one detail
>>> that I didn't specifically say 
>>> here.  I thought it was obvious, so I didn't mention
>>> it. I think it 
>>> wasn't obvious to some of you.
>>>
>>> I'm not having trouble with clamav telling me what FILE
>>> a virus is in.  
>>> The report is clear on that.  The problem is that the IMAP
>>> INBOX file is 
>>> a formatted file containing many email messages.  What
>>> I'm looking for 
>>> is some sort of ability to introspect into the mailbox
>>> format in the 
>>> clamav report so that I can tell which email message
>>> contains the 
>>> virus.  I certainly am not going to run clamav in
>>> "auto-remove" mode, as 
>>> it would remove my entire inbox.
>>>     </pre>
>>>   </blockquote>
>>>   <pre>
>>> David, BitDefender for Unices, at least on POP3 mailbox
>>> files, will tell
>>> you the exact msg number, the subject of the email(s), and
>>> the time
>>> stamp on the email(s) within the file. I expect that it
>>> will do the same
>>> for an IMAP file. I don't have an IMAP so I can't
>>> test.
>>>
>>> I just test scanned an email archive with both clamav and
>>> BitDefender;
>>> result was that clamav identified 4 issues that supposedly
>>> contained:
>>> 'Phishing.Heuistics.Email.SpoofedDomain and
>>> Email.Phishing.DblDom-138' no trojans or viri found.
>>> ClamAV entirely
>>> missed trojan signatures in the files. Further, clamav
>>> didn't provide
>>> any further information beyond the file location and the
>>> above.
>>>
>>> BitDefender not only properly found folders with a trojan
>>> signature
>>> ('Trojan.Iframe.AV'), but also identified exactly
>>> which emails within
>>> the 17+MB file were at issue. I was then able to open up
>>> the file in
>>> gedit, identify the the emails within the file by subject
>>> & time stamp,
>>> and edit them out by hand. I could have of course opened
>>> the file in
>>> SeaMonkey (my email client) and deleted them that way as I
>>> know the
>>> exact msg numbers, subjects and times. I happen to know
>>> exactly what the
>>> trojan signatures were/are in the archived email file as
>>> they were
>>> emails that I had sent/received regarding that particular
>>> Iframe
>>> exploit, so there was no false positive.
>>>
>>> I very much recommend exploring BitDefender - see my post
>>> to Leonard in
>>> this thread for links etc. You can use cli or gui, set cron
>>> scans, scan
>>> incoming on Evolution, Pine, etc., use scripts, scan across
>>> Samba, etc.
>>> It's (IMO) worth a look. 32bit and 64bit versions are
>>> available.
>>> Disclaimer: I also use BD comercial licenses to scan
>>> Windows servers for
>>> my customers for years, and my personal use machines (linux
>>> and
>>> windows); beyond that I've no other relationship with
>>> BD.
>>>
>>>
>>>   </pre>
>>> </blockquote>
>>> I accidentally lost the reply you added after this, but I
>>> read it in
>>> the archives.<br>
>>> <br>
>>> As I suspected, there seems to be some issue with the
>>> variation of
>>> BitDefender that I installed.  I followed the
>>> instructions at <<a rel="nofollow"
>>>  target="_blank"
>>> href="http://download.bitdefender.com/repos/#">http://download.bitdefender.com/repos/#</a>>,
>>> but I don't have a "BitDefender" entry in
>>> "Applications"->"System
>>> Tools", and I don't have a "bdgui"
>>> executable.  The following is the
>>> contents of "/opt/BitDefender/bin":<br>
>>> <br>
>>> davidkarr at davidkarr-desktop$ ls
>>> /opt/BitDefender/bin<br>
>>> ./      
>>> bdcharts*     bdlived*   
>>> bdmond*   bdsafe.bin*  bdsu*<br>
>>> ../      
>>> bdcourier*   
>>>  bdlogd*     bdqmail* 
>>> bdscand*    
>>> common-setup.sh*<br>
>>> bd*      
>>> bdemagentd*   
>>>  bdmaild*    bdregd*  
>>> bdsmtpd*    
>>> mail-setup.sh*<br>
>>> bdcgated*  bdemclientd*  bdmilterd* 
>>> bdsafe@   bdsnmpd*<br>
>>> <br>
>>> I have no "update-menus" executable (I looked
>>> everywhere), if that's
>>> relevant.<br>
>>> <br>
>>>
>>>     
>> I'm not real sure what you are looking for but I know that NoOP is gone for the weekend, sailing, and wont be back until Monday. If you are looking for the cli commands for BD they are:
>>
>> bdscan for the cli and
>> bdgui for the gui but starting it from the cli. The menu item for BDSCAN is called Antimalware Scanner and just below the main title is Bit Defender Scanner greyed out.  It had a red icon globe that is serated.  At least that is how it appears on my Intrepid Kubuntu desktop using the 64 bit version. Use the above cli commands with the --help option to see what the available options are or read the manuals.
>> I'm not sure but it appears that you downloaded BD from their site. You can download it from ubuntu by adding the following to your sources.list or in software sources:
>> deb http://download.bitdefender.com/repos/deb/ bitdefender non-free
>>
>> I can attest that BD is significantly faster scanning than clamscan is as NoOp pointed out.  HTH.
>>
>> Leonard Chatagnier
>> lenc5570 at sbcglobal.net
>>
>>
>>   
> I followed the instructions at 
> <http://download.bitdefender.com/repos/#> , which references the line 
> you refer to.  It didn't give me any of the command-line tools.
I just had a look at those instructions, and if you followed them to the 
letter, all you have installed so far is the email scanning portion of 
Bit Defender. I don't know how hung up you are on using the command 
line, and apt-get, but my recommendation would be to open Synaptic 
Package Manager from your System, Administration menu, and use it to get 
the rest of the Bit Defender packages.

With Synaptic, you can use it's Search box to search on "Title Only" 
[which is fastest] for the string "bd" since all of their packages seem 
to start with those two letters, then check mark all of the matching 
packages, that say they are part of Bit Defender in their descriptions. 
Next just click "Apply" to get the install under way.

I'm pretty sure that the same sources.list in use by apt-get, is used by 
Synaptic, so the Bit Defender repository should already be enabled, and 
upon starting up Synaptic does a repository update immediately, so the 
package list it uses is always up to date when you begin using it.

Once the installation completes, you will be able to select any of the 
Bit Defender packages installed, and then select their "Installed Files" 
tab to see where everything has been put. That comes in pretty handy 
when the occasional poorly written package doesn't install itself to the 
menu as it should.

The other day I installed two GUI front ends for the nmap networking 
security tool, and neither of them installed themselves to the menu, so 
I had to do that part for them.

Hope this helps!

Later, Ray Parrish

-- 
Human reviewed index of links about the computer
http://www.rayslinks.com
Poetry from the mind of a Schizophrenic
http://www.writingsoftheschizophrenic.com/

More information about the ubuntu-users mailing list