On Mon, 2007-03-12 at 11:31 +0100, Pascal Duchatelle wrote: > Hi there, > > sorry to bother you but I am new to ClamAV (on fedora core 6). I ran > clamscan on my laptop and got a message telling me that I have 3 files > infected. > One is in my mail . I browed the FAQ and find a way supposed (by using > the --debug option) to tell the number of the infected message so that I > could get rid of it. > First : I ran the clamscan --debug -l fich -r /.... command in a > console. Where should I find the line telling me which of my messages is > infected ? In the console or ine the fich file given in the command ? > But maybe it does not work with thunderbird. > If it is in the console, then I have another problem because during the > debug process there are a bunch of info scroling down the screeen at > incredible speed, and after a moment I don't know why but the characters > go wild (except numbers) so that I cannot read anything on the screen. > Of course I could delete the entire content of the mail box (by the way > would it be enough action taken ? because nowhere in the manual it is > said how to handle infected files (although in the FAQ it is hinted that > desinfecting such files would be mainly a waste of energy...) ). This > would waste me a lot of valuable messages that I keep, but more I would > not know where the infected message comes from (for future precaution).
You could split it into separate messages using formail, scan the individual messages and then recombine the uninfected ones. Alternatively you could use a MUA to split your mail into 2 folders, scan them, split the infected one..... ye olde binary search :-) > The second file infected is in my windows partition under the root > directory (I got this result :media/hda2/pagefile.sys: > Exploit.HTML.MHTRedir-8 FOUND). hda2 is my windows partition. This file > is 1.3G large (from what nautilus sees/says). Again is simply deleting > enough ? I s it usually a windows file ? pagfile.sys is your swap file. If your virus was ever swapped out, it'd make sense to find it there. You should be able to delete it, windows will recreate it. You need to turn off swap first, (probably) reboot, delete the file, turn swap back on and reboot again. Is deleting it enough? My advice is to nuke infected systems. Even benign programs rarely uninstall cleanly; malware is nasty and designed not to go quietly. > The third one is more confusing to me since it is a zipped file that I > donwloaded from the US Samsung site when I tried to upgrade my Yepp 920 > studio and firmware (mp3 player interface). The scan tells me that it is > an oversized archive. Is there a way for clamAV to be sure of that (I > mean in a MD5 sum sort of way) ? Because it is only 50Mo. "oversized" archives are also known as compression bombs. You take a file with a few gazzilion NULL's (easy to do on a filesystem with sparse file support) and compress it. The victim tries to unzip it to check for viruses and nukes their free disk space. I don't know which exactly how clamAV check for these, but sometimes inncent files are tagged (files that really do have fantastic compression ratios). Unzip the file (preferably to a safe partition) and scan the resultant files. > > Thank you for your responses and advices. > Thomas _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
