Hi there,
On Sun, 2 Feb 2014, Gene Heskett wrote:
I have trolled thru the man pages at length, and can find no option to make
it just a little more verbose by outputting something that would serve to
identify the originator of a compromised email. What we do get, is hard to
impossible to actually connect to a given email currently sitting in a
kmail folder.
This is all I am getting in the /var/log/clamav/clamav.log:
Thu Jan 30 10:22:29 2014 -> instream(local):
Sanesecurity.Malware.20493.ZipHeur.UNOFFICIAL(75da5ae7bb694b4d03687026bb4d6ee4:22222)
FOUND
all on one long line of course.
...
Am I missing something? If so, please point me at it.
You might be. IF I understand what you're doing, it seems to me that
you're piping a stream of data to the standard input of a process and
asking that process to scan the stream for interesting things. You
aren't telling it where the stream comes from, so it doesn't know, so
it can't tell you anything other than what it finds in the anonymous
stream. I suppose it could tell you a byte offset from the start of
the stream if it counted the bytes, but that wouldn't be a lot of use
if the stream came from the concatenation of half a million files.
In effect, you're saying "What's in this anonymous stream of data?"
Another way of doing it is to tell the process "Go look at that pile
of files over there; if you find anything of interest, tell me which
file(s) it's in, and what you think you've found." A bit like this,
where I've mounted an NTFS filesystem on a Linux box to scan it:
8<----------------------------------------------------------------------
tornado:/mnt/sdc1/888# >>> clamscan -r /mnt/sde1/ -l
SD8533894_clamscan-2013.08.05
tornado:/mnt/sdc1/888# >>> grep FOUND SD8533894_clamscan-2013.08.05
/mnt/sde1/Documents and Settings/RXB.RXL/Application Data/Thunderbird/Profiles/y1newwij.default/ImapMail/888.co.uk/Deleted 2010.sbd/2010.05: Sanesecurity.Junk.26005.UNOFFICIAL FOUND
/mnt/sde1/Documents and Settings/RXB.RXL/Application
Data/Thunderbird/Profiles/y1newwij.default/ImapMail/888.co.uk/eds:
Sanesecurity.Phishing.Cur.1241.UNOFFICIAL FOUND
/mnt/sde1/Documents and Settings/RXB.RXL/Application
Data/Thunderbird/Profiles/y1newwij.default/ImapMail/192.168.0-8.252/eds:
Sanesecurity.Phishing.Cur.1241.UNOFFICIAL FOUND
/mnt/sde1/Documents and Settings/RXB.RXL/Application
Data/Thunderbird/Profiles/y1newwij.default/ImapMail/192.168.0-8.252/Deleted
2010.sbd/2010.05: Sanesecurity.Junk.26005.UNOFFICIAL FOUND
/mnt/sde1/Documents and Settings/RXB.RXL/Application
Data/Thunderbird/Profiles/y1newwij.default/ImapMail/192.168.0.252/personal:
Sanesecurity.Phishing.Cur.100.UNOFFICIAL FOUND
/mnt/sde1/Documents and Settings/RXB.RXL/Application
Data/Thunderbird/Profiles/y1newwij.default/ImapMail/192.168.0.252/jo:
Sanesecurity.Phishing.Cur.100.UNOFFICIAL FOUND
/mnt/sde1/Program Files/Common Files/System/msadc/msadcs.dll:
Win.Trojan.Chiton-72 FOUND
/mnt/sde1/WINDOWS/ServicePackFiles/i386/notepad.exe:
winnow.malware.72668.UNOFFICIAL FOUND
/mnt/sde1/WINDOWS/ServicePackFiles/i386/msadcs.dll: Win.Trojan.Chiton-72 FOUND
/mnt/sde1/WINDOWS/system32/notepad.exe: winnow.malware.72668.UNOFFICIAL FOUND
/mnt/sde1/WINDOWS/system32/AcSignExt.dll: Win.Trojan.Fakesmoke-128 FOUND
/mnt/sde1/WINDOWS/notepad.exe: winnow.malware.72668.UNOFFICIAL FOUND
/mnt/sde1/WINDOWS/ie7updates/KB969897-IE7/iexplore.exe: Win.Trojan.Agent-443913
FOUND
tornado:/mnt/sdc1/888# >>>
8<----------------------------------------------------------------------
(Sorry if your mailer wraps those lines, I'm sure you can work it out
as they all begin with "tornado:/mnt/sdc1/888" or "/mnt/sde1".)
If you have huge one-file mailboxes with lots of messages in them you
might want to consider using a mail tool to split the messages into a
directory full of single-file-per-message files just for the purposes
of scanning and identifying which messages are of interest. I usually
use 'formail' from a script such as this:
8<----------------------------------------------------------------------
#!/bin/bash
##########################################################################
# Split mbox files (like kept by thunderbird) into individual messages.
# usage: split_mail.sh <mailbox_file>
# Creates numbered files in TMP_SCANDIR.
# Can't handle a path with whitespace in it.
##########################################################################
# !!! Note - if CLEAN_TMP_DIR is set to 1 this directory is wiped !!!
TMP_SCANDIR=~/split_directory
TMP_EXT=
CLEAN_TMP_DIR=0 # 0 = Don't purge TMP_SCANDIR, 1 = Do
FORMAIL=/usr/bin/formail # Adjust to suit your installation
# nothing below here needs normally needs to be changed....
# check to see if everything we need is here...
if [ ! -x $FORMAIL ]; then
echo "Error - formail executeable $FORMAIL not found."
exit 1
fi
if [ $# -ne 1 ]; then
echo -e "Useage: ./scan_mbox.sh <mailbox_file>"
echo -e "\tNote: <mailbox_file> full path to the mailbox file,"
if [ $CLEAN_TMP_DIR -eq 1 ]; then
echo -e "\t\t!!! Will purge $TMP_SCANDIR !!!"
else
echo -e -n "\t\t!!! Will NOT purge $TMP_SCANDIR,"
echo -e " but WILL overwrite existing files !!!"
fi
exit 2
fi
# DATE=`date`
# echo "starting scan_mbox.sh version 1.2 at $DATE"
# cleanup the TMP_SCANDIR if needed
if [ $CLEAN_TMP_DIR -eq 1 ]; then
echo "Cleaning up any files from the previous runs..."
# change the -i to a -f below to bypass the need for confirmations...
rm -i -rv $TMP_SCANDIR
fi
# create or re-create TMP_SCANDIR
echo "Creating (if needed) the TMP_SCANDIR location $TMP_SCANDIR..."
mkdir -pv $TMP_SCANDIR
# set the FILENO variable and export so formail will update it...
FILENO=003000
export FILENO
export TMP_SCANDIR
export TMP_EXT
echo "Extracting individual mail files from $1..."
cat $1 | $FORMAIL -d -s sh -c 'cat - >$TMP_SCANDIR/$FILENO.msg'
exit 0
8<----------------------------------------------------------------------
Actually if you know what you're doing, and you're CAREFUL, you only
really need a couple of lines:
export FILENO=003000
cat /path/to/mboxfile | formail -d -s sh -c 'cat - >split_directory/$FILENO.msg'
Then you can scan the directory with clamscan as above. If you run
the clamd daemon you _could_ use clamdscan, but note the differences
between clamscan and clamdscan. More flexibility at the command line
with clamscan than with clamdscan. And more danger too. :)
No "FOUND" yet today which seems odd.
I definitely don't understand what you mean by that.
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
