Thoughts about finding viruses in email inboxes

Ray Parrish crp at
Sun Apr 5 07:18:04 UTC 2009

David M. Karr wrote:
> Leonard Chatagnier wrote:
>> --- On Sat, 4/4/09, David M. Karr <davidmichaelkarr at> wrote:
>>> From: David M. Karr <davidmichaelkarr at>
>>> Subject: Re: Thoughts about finding viruses in email inboxes
>>> To: "Ubuntu user technical support, not for general discussions" <ubuntu-users at>
>>> Date: Saturday, April 4, 2009, 6:07 PM
>>> <div id=yiv1158907843><!DOCTYPE html PUBLIC
>>> "-//W3C//DTD HTML 4.01 Transitional//EN">
>>> <html>
>>> <head>
>>> </head>
>>> NoOp wrote:
>>> <blockquote type="cite">
>>>   <pre>On 03/29/2009 12:13 PM, David M. Karr wrote:
>>>   </pre>
>>>   <blockquote type="cite">
>>>     <pre>Ok, I can see that there's one detail
>>> that I didn't specifically say 
>>> here.  I thought it was obvious, so I didn't mention
>>> it. I think it 
>>> wasn't obvious to some of you.
>>> I'm not having trouble with clamav telling me what FILE
>>> a virus is in.  
>>> The report is clear on that.  The problem is that the IMAP
>>> INBOX file is 
>>> a formatted file containing many email messages.  What
>>> I'm looking for 
>>> is some sort of ability to introspect into the mailbox
>>> format in the 
>>> clamav report so that I can tell which email message
>>> contains the 
>>> virus.  I certainly am not going to run clamav in
>>> "auto-remove" mode, as 
>>> it would remove my entire inbox.
>>>     </pre>
>>>   </blockquote>
>>>   <pre>
>>> David, BitDefender for Unices, at least on POP3 mailbox
>>> files, will tell
>>> you the exact msg number, the subject of the email(s), and
>>> the time
>>> stamp on the email(s) within the file. I expect that it
>>> will do the same
>>> for an IMAP file. I don't have an IMAP so I can't
>>> test.
>>> I just test scanned an email archive with both clamav and
>>> BitDefender;
>>> result was that clamav identified 4 issues that supposedly
>>> contained:
>>> 'Phishing.Heuistics.Email.SpoofedDomain and
>>> Email.Phishing.DblDom-138' no trojans or viri found.
>>> ClamAV entirely
>>> missed trojan signatures in the files. Further, clamav
>>> didn't provide
>>> any further information beyond the file location and the
>>> above.
>>> BitDefender not only properly found folders with a trojan
>>> signature
>>> ('Trojan.Iframe.AV'), but also identified exactly
>>> which emails within
>>> the 17+MB file were at issue. I was then able to open up
>>> the file in
>>> gedit, identify the the emails within the file by subject
>>> & time stamp,
>>> and edit them out by hand. I could have of course opened
>>> the file in
>>> SeaMonkey (my email client) and deleted them that way as I
>>> know the
>>> exact msg numbers, subjects and times. I happen to know
>>> exactly what the
>>> trojan signatures were/are in the archived email file as
>>> they were
>>> emails that I had sent/received regarding that particular
>>> Iframe
>>> exploit, so there was no false positive.
>>> I very much recommend exploring BitDefender - see my post
>>> to Leonard in
>>> this thread for links etc. You can use cli or gui, set cron
>>> scans, scan
>>> incoming on Evolution, Pine, etc., use scripts, scan across
>>> Samba, etc.
>>> It's (IMO) worth a look. 32bit and 64bit versions are
>>> available.
>>> Disclaimer: I also use BD comercial licenses to scan
>>> Windows servers for
>>> my customers for years, and my personal use machines (linux
>>> and
>>> windows); beyond that I've no other relationship with
>>> BD.
>>>   </pre>
>>> </blockquote>
>>> I accidentally lost the reply you added after this, but I
>>> read it in
>>> the archives.<br>
>>> <br>
>>> As I suspected, there seems to be some issue with the
>>> variation of
>>> BitDefender that I installed.  I followed the
>>> instructions at <<a rel="nofollow"
>>>  target="_blank"
>>> href=""></a>>,
>>> but I don't have a "BitDefender" entry in
>>> "Applications"->"System
>>> Tools", and I don't have a "bdgui"
>>> executable.  The following is the
>>> contents of "/opt/BitDefender/bin":<br>
>>> <br>
>>> davidkarr at davidkarr-desktop$ ls
>>> /opt/BitDefender/bin<br>
>>> ./      
>>> bdcharts*     bdlived*   
>>> bdmond*   bdsafe.bin*  bdsu*<br>
>>> ../      
>>> bdcourier*   
>>>  bdlogd*     bdqmail* 
>>> bdscand*    
>>> bd*      
>>> bdemagentd*   
>>>  bdmaild*    bdregd*  
>>> bdsmtpd*    
>>> bdcgated*  bdemclientd*  bdmilterd* 
>>> bdsafe@   bdsnmpd*<br>
>>> <br>
>>> I have no "update-menus" executable (I looked
>>> everywhere), if that's
>>> relevant.<br>
>>> <br>
>> I'm not real sure what you are looking for but I know that NoOP is gone for the weekend, sailing, and wont be back until Monday. If you are looking for the cli commands for BD they are:
>> bdscan for the cli and
>> bdgui for the gui but starting it from the cli. The menu item for BDSCAN is called Antimalware Scanner and just below the main title is Bit Defender Scanner greyed out.  It had a red icon globe that is serated.  At least that is how it appears on my Intrepid Kubuntu desktop using the 64 bit version. Use the above cli commands with the --help option to see what the available options are or read the manuals.
>> I'm not sure but it appears that you downloaded BD from their site. You can download it from ubuntu by adding the following to your sources.list or in software sources:
>> deb bitdefender non-free
>> I can attest that BD is significantly faster scanning than clamscan is as NoOp pointed out.  HTH.
>> Leonard Chatagnier
>> lenc5570 at
> I followed the instructions at 
> <> , which references the line 
> you refer to.  It didn't give me any of the command-line tools.
Ok, I just gave it a try myself, and I must correct a couple of my 
statements from my previous reply. To find the Bit Defender packages in 
Synaptic you will need to Search on the "Name" selection in the drop 
down list of the Search box for "bit" which will expose all of it's 

There are a total of six Bitdefender packages available for 
installation, and it is your choice whether or not to install the Remote 
Administration and Samba packages for it, but the other four are 
probably a good idea to have.

Sorry for my misinformation in the first reply, I should have tried it 
myself first to make sure of the facts.

Later, Ray Parrish

Human reviewed index of links about the computer
Poetry from the mind of a Schizophrenic

More information about the ubuntu-users mailing list