On Sunday 02 February 2014 09:12:36 G.W. Haywood did opine: > Hi there, > > On Sun, 2 Feb 2014, Gene Heskett wrote: > > I have trolled thru the man pages at length, and can find no option to > > make it just a little more verbose by outputting something that would > > serve to identify the originator of a compromised email. What we do > > get, is hard to impossible to actually connect to a given email > > currently sitting in a kmail folder. > > > > This is all I am getting in the /var/log/clamav/clamav.log: > > > > Thu Jan 30 10:22:29 2014 -> instream(local): > > Sanesecurity.Malware.20493.ZipHeur.UNOFFICIAL(75da5ae7bb694b4d03687026 > > bb4d6ee4:22222) FOUND > > > > all on one long line of course. > > ... > > Am I missing something? If so, please point me at it. > > You might be. IF I understand what you're doing, it seems to me that > you're piping a stream of data to the standard input of a process and > asking that process to scan the stream for interesting things. You > aren't telling it where the stream comes from, so it doesn't know, so > it can't tell you anything other than what it finds in the anonymous > stream. I suppose it could tell you a byte offset from the start of > the stream if it counted the bytes, but that wouldn't be a lot of use > if the stream came from the concatenation of half a million files. > > In effect, you're saying "What's in this anonymous stream of data?" Wrong concept, its being used on each incoming email, even before SA looks at it. Point being that the email will normally have a subject line which, when the mail has been sorted into the incoming kde folders, knowing the subject line contents would go a long way toward identifying the mail. However, I think I have the perms correct for the target virii file now, so if it successfully gets moved to there, the lack of a good id method is far less important.
> Another way of doing it is to tell the process "Go look at that pile > of files over there; if you find anything of interest, tell me which > file(s) it's in, and what you think you've found." A bit like this, > where I've mounted an NTFS filesystem on a Linux box to scan it: > > 8<---------------------------------------------------------------------- > tornado:/mnt/sdc1/888# >>> clamscan -r /mnt/sde1/ -l > SD8533894_clamscan-2013.08.05 tornado:/mnt/sdc1/888# >>> grep FOUND > SD8533894_clamscan-2013.08.05 /mnt/sde1/Documents and > Settings/RXB.RXL/Application > Data/Thunderbird/Profiles/y1newwij.default/ImapMail/888.co.uk/Deleted > 2010.sbd/2010.05: Sanesecurity.Junk.26005.UNOFFICIAL FOUND > /mnt/sde1/Documents and Settings/RXB.RXL/Application > Data/Thunderbird/Profiles/y1newwij.default/ImapMail/888.co.uk/eds: > Sanesecurity.Phishing.Cur.1241.UNOFFICIAL FOUND /mnt/sde1/Documents and > Settings/RXB.RXL/Application > Data/Thunderbird/Profiles/y1newwij.default/ImapMail/192.168.0-8.252/eds > : Sanesecurity.Phishing.Cur.1241.UNOFFICIAL FOUND /mnt/sde1/Documents > and Settings/RXB.RXL/Application > Data/Thunderbird/Profiles/y1newwij.default/ImapMail/192.168.0-8.252/Del > eted 2010.sbd/2010.05: Sanesecurity.Junk.26005.UNOFFICIAL FOUND > /mnt/sde1/Documents and Settings/RXB.RXL/Application > Data/Thunderbird/Profiles/y1newwij.default/ImapMail/192.168.0.252/perso > nal: Sanesecurity.Phishing.Cur.100.UNOFFICIAL FOUND /mnt/sde1/Documents > and Settings/RXB.RXL/Application > Data/Thunderbird/Profiles/y1newwij.default/ImapMail/192.168.0.252/jo: > Sanesecurity.Phishing.Cur.100.UNOFFICIAL FOUND /mnt/sde1/Program > Files/Common Files/System/msadc/msadcs.dll: Win.Trojan.Chiton-72 FOUND > /mnt/sde1/WINDOWS/ServicePackFiles/i386/notepad.exe: > winnow.malware.72668.UNOFFICIAL FOUND > /mnt/sde1/WINDOWS/ServicePackFiles/i386/msadcs.dll: > Win.Trojan.Chiton-72 FOUND /mnt/sde1/WINDOWS/system32/notepad.exe: > winnow.malware.72668.UNOFFICIAL FOUND > /mnt/sde1/WINDOWS/system32/AcSignExt.dll: Win.Trojan.Fakesmoke-128 > FOUND /mnt/sde1/WINDOWS/notepad.exe: winnow.malware.72668.UNOFFICIAL > FOUND /mnt/sde1/WINDOWS/ie7updates/KB969897-IE7/iexplore.exe: > Win.Trojan.Agent-443913 FOUND tornado:/mnt/sdc1/888# >>> > 8<---------------------------------------------------------------------- > That is the sort of report I get from a daily scan. Different horse entirely. :) There, it does name the file, making that sort of housekeeping MUCH easier. One other item I just found that I do not like. When clamav is restarted at reboot time, it wipes the existing /var/log/clamav/clamav.log file, destroying any interesting records from yesterday. That's not at all nice. It really, REALLY, needs to be maintained by logrotate. > (Sorry if your mailer wraps those lines, I'm sure you can work it out > as they all begin with "tornado:/mnt/sdc1/888" or "/mnt/sde1".) > > If you have huge one-file mailboxes with lots of messages in them you > might want to consider using a mail tool to split the messages into a > directory full of single-file-per-message files just for the purposes > of scanning and identifying which messages are of interest. I usually > use 'formail' from a script such as this: > > 8<---------------------------------------------------------------------- > #!/bin/bash > ######################################################################## > ## # Split mbox files (like kept by thunderbird) into individual > messages. # usage: split_mail.sh <mailbox_file> > # Creates numbered files in TMP_SCANDIR. > # Can't handle a path with whitespace in it. > ######################################################################## > ## # !!! Note - if CLEAN_TMP_DIR is set to 1 this directory is wiped !!! > TMP_SCANDIR=~/split_directory > TMP_EXT= > CLEAN_TMP_DIR=0 # 0 = Don't purge TMP_SCANDIR, 1 = Do > FORMAIL=/usr/bin/formail # Adjust to suit your installation > # nothing below here needs normally needs to be changed.... > # check to see if everything we need is here... > if [ ! -x $FORMAIL ]; then > echo "Error - formail executeable $FORMAIL not found." > exit 1 > fi > if [ $# -ne 1 ]; then > echo -e "Useage: ./scan_mbox.sh <mailbox_file>" > echo -e "\tNote: <mailbox_file> full path to the mailbox file," > if [ $CLEAN_TMP_DIR -eq 1 ]; then > echo -e "\t\t!!! Will purge $TMP_SCANDIR !!!" > else > echo -e -n "\t\t!!! Will NOT purge $TMP_SCANDIR," > echo -e " but WILL overwrite existing files !!!" > fi > exit 2 > fi > # DATE=`date` > # echo "starting scan_mbox.sh version 1.2 at $DATE" > # cleanup the TMP_SCANDIR if needed > if [ $CLEAN_TMP_DIR -eq 1 ]; then > echo "Cleaning up any files from the previous runs..." > # change the -i to a -f below to bypass the need for > confirmations... rm -i -rv $TMP_SCANDIR > fi > # create or re-create TMP_SCANDIR > echo "Creating (if needed) the TMP_SCANDIR location $TMP_SCANDIR..." > mkdir -pv $TMP_SCANDIR > # set the FILENO variable and export so formail will update it... > FILENO=003000 > export FILENO > export TMP_SCANDIR > export TMP_EXT > echo "Extracting individual mail files from $1..." > cat $1 | $FORMAIL -d -s sh -c 'cat - >$TMP_SCANDIR/$FILENO.msg' > exit 0 > 8<---------------------------------------------------------------------- Interesting script, but I don't believe I have any surviving mboxfile folders. > Actually if you know what you're doing, and you're CAREFUL, you only > really need a couple of lines: > > export FILENO=003000 > cat /path/to/mboxfile | formail -d -s sh -c 'cat - > >split_directory/$FILENO.msg' > > Then you can scan the directory with clamscan as above. If you run > the clamd daemon you _could_ use clamdscan, but note the differences > between clamscan and clamdscan. More flexibility at the command line > with clamscan than with clamdscan. And more danger too. :) > > > No "FOUND" yet today which seems odd. > > I definitely don't understand what you mean by that. > Meaning that no incoming viri have been detected by my procmail recipe since Thursdays blast of 3, all in about an hours time. > -- > > 73, > Ged. Thanks Ged. Cheers, Gene -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> NOTICE: Will pay 100 USD for an HP-4815A defective but complete probe assembly. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
