Thoughts about finding viruses in email inboxes
NoOp
glgxg at sbcglobal.net
Mon Mar 30 23:40:12 UTC 2009
On 03/29/2009 12:13 PM, David M. Karr wrote:
> Ok, I can see that there's one detail that I didn't specifically say
> here. I thought it was obvious, so I didn't mention it. I think it
> wasn't obvious to some of you.
>
> I'm not having trouble with clamav telling me what FILE a virus is in.
> The report is clear on that. The problem is that the IMAP INBOX file is
> a formatted file containing many email messages. What I'm looking for
> is some sort of ability to introspect into the mailbox format in the
> clamav report so that I can tell which email message contains the
> virus. I certainly am not going to run clamav in "auto-remove" mode, as
> it would remove my entire inbox.
David, BitDefender for Unices, at least on POP3 mailbox files, will tell
you the exact msg number, the subject of the email(s), and the time
stamp on the email(s) within the file. I expect that it will do the same
for an IMAP file. I don't have an IMAP so I can't test.
I just test scanned an email archive with both clamav and BitDefender;
result was that clamav identified 4 issues that supposedly contained:
'Phishing.Heuistics.Email.SpoofedDomain and
Email.Phishing.DblDom-138' no trojans or viri found. ClamAV entirely
missed trojan signatures in the files. Further, clamav didn't provide
any further information beyond the file location and the above.
BitDefender not only properly found folders with a trojan signature
('Trojan.Iframe.AV'), but also identified exactly which emails within
the 17+MB file were at issue. I was then able to open up the file in
gedit, identify the the emails within the file by subject & time stamp,
and edit them out by hand. I could have of course opened the file in
SeaMonkey (my email client) and deleted them that way as I know the
exact msg numbers, subjects and times. I happen to know exactly what the
trojan signatures were/are in the archived email file as they were
emails that I had sent/received regarding that particular Iframe
exploit, so there was no false positive.
I very much recommend exploring BitDefender - see my post to Leonard in
this thread for links etc. You can use cli or gui, set cron scans, scan
incoming on Evolution, Pine, etc., use scripts, scan across Samba, etc.
It's (IMO) worth a look. 32bit and 64bit versions are available.
Disclaimer: I also use BD comercial licenses to scan Windows servers for
my customers for years, and my personal use machines (linux and
windows); beyond that I've no other relationship with BD.
More information about the ubuntu-users
mailing list