Thoughts about finding viruses in email inboxes

Tue Mar 31 11:02:32 UTC 2009

NoOp wrote:
> On 03/29/2009 12:13 PM, David M. Karr wrote:
>> Ok, I can see that there's one detail that I didn't specifically say 
>> here.  I thought it was obvious, so I didn't mention it. I think it 
>> wasn't obvious to some of you.
>>
>> I'm not having trouble with clamav telling me what FILE a virus is in.  
>> The report is clear on that.  The problem is that the IMAP INBOX file is 
>> a formatted file containing many email messages.  What I'm looking for 
>> is some sort of ability to introspect into the mailbox format in the 
>> clamav report so that I can tell which email message contains the 
>> virus.  I certainly am not going to run clamav in "auto-remove" mode, as 
>> it would remove my entire inbox.
> 
> David, BitDefender for Unices, at least on POP3 mailbox files, will tell
> you the exact msg number, the subject of the email(s), and the time
> stamp on the email(s) within the file. I expect that it will do the same
> for an IMAP file. I don't have an IMAP so I can't test.
> 
> I just test scanned an email archive with both clamav and BitDefender;
> result was that clamav identified 4 issues that supposedly contained:
> 'Phishing.Heuistics.Email.SpoofedDomain and
> Email.Phishing.DblDom-138' no trojans or viri found. ClamAV entirely
> missed trojan signatures in the files. Further, clamav didn't provide
> any further information beyond the file location and the above.
> 
> BitDefender not only properly found folders with a trojan signature
> ('Trojan.Iframe.AV'), but also identified exactly which emails within
> the 17+MB file were at issue. I was then able to open up the file in
> gedit, identify the the emails within the file by subject & time stamp,
> and edit them out by hand. I could have of course opened the file in
> SeaMonkey (my email client) and deleted them that way as I know the
> exact msg numbers, subjects and times. I happen to know exactly what the
> trojan signatures were/are in the archived email file as they were
> emails that I had sent/received regarding that particular Iframe
> exploit, so there was no false positive.
> 
> I very much recommend exploring BitDefender - see my post to Leonard in
> this thread for links etc. You can use cli or gui, set cron scans, scan
> incoming on Evolution, Pine, etc., use scripts, scan across Samba, etc.
> It's (IMO) worth a look. 32bit and 64bit versions are available.
> Disclaimer: I also use BD comercial licenses to scan Windows servers for
> my customers for years, and my personal use machines (linux and
> windows); beyond that I've no other relationship with BD.
> 
> 
Noop,
I followed your advice and obtained bitdefender.
After scanning my mailfolder it detected 8 Trojans in my junk and Trash 
folder, which I think was to be expected.
However, I said then to quarantaine thes viruses with the result that he 
quarantined my whole mailbox (I'm using Thunderbird) but also removed 3 
folders without viruses. I assume thunderbird has some problems with it 
but do you know how to 'unquarantine' these folders? Especially one of 
them (Home) holds E-mails I have to respond to today!!
I tried to open the quarantained files with thunderbird but that didn't 
work (neither worked Evolution).
Hope you can help me out!!
Joep