On Fri, 9 Apr 2004, Tomasz Kojm wrote: > jef moskot <[EMAIL PROTECTED]> wrote: > > Is there no way to get Clam to report which message the infected file > > (or at least the FIRST infected file) is in? > You may try with clamscan -m --debug
Could you give some tips on how to use that to figure out which message is being referred to? For example, I have a mail file with just one message in it (which is infected) and the output is quite noisy. I've attached it below. When scanning a mailbox with 1000 messages in it, it's quite difficult to make anything of this output without knowing exactly what to look for. Also, piping the output to a file doesn't seem to work, so even if there's some flag to grep for, it's difficult to manage. Is keeping a message counter feasible, given the design of the code? Jeffrey Moskot System Administrator [EMAIL PROTECTED] SCAN OUTPUT (names have been changed to protect the innocent and not): #: clamscan -m --debug malware.1 LibClamAV debug: Loading databases from /usr/local/share/clamav LibClamAV debug: Loading /usr/local/share/clamav/main.cvd LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 1b99fa97eec06a4e2946d2c53d63f2c1 LibClamAV debug: Decoded signature: 1b99fa97eec06a4e2946d2c53d63f2c1 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//5be97e661849fdd0/COPYING LibClamAV debug: Unpacking /var/tmp//5be97e661849fdd0/viruses.db LibClamAV debug: Loading databases from /var/tmp//5be97e661849fdd0 LibClamAV debug: Loading /var/tmp//5be97e661849fdd0/viruses.db LibClamAV debug: Initializing trie. LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = ac07fb36367c36f62aebaf42ff53c273 LibClamAV debug: Decoded signature: ac07fb36367c36f62aebaf42ff53c273 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//2c1156fb087c6d13/COPYING LibClamAV debug: Unpacking /var/tmp//2c1156fb087c6d13/viruses.db2 LibClamAV debug: Loading databases from /var/tmp//2c1156fb087c6d13 LibClamAV debug: Loading /var/tmp//2c1156fb087c6d13/viruses.db2 LibClamAV debug: Recognized MBox file LibClamAV debug: Starting cli_scanmail() LibClamAV debug: in mbox() LibClamAV debug: Deal with header From [EMAIL PROTECTED] Thu Apr 8 11:18:31 2004 LibClamAV debug: parseEmailHeader 'From [EMAIL PROTECTED] Thu Apr 8 11:18:31 2004' LibClamAV debug: parseMimeHeader: cmd='From [EMAIL PROTECTED] Thu Apr 8 11', arg='18:31 2004' LibClamAV debug: Deal with header Return-Path: <[EMAIL PROTECTED]> LibClamAV debug: parseEmailHeader 'Return-Path: <[EMAIL PROTECTED]>' LibClamAV debug: parseMimeHeader: cmd='Return-Path', arg=' <[EMAIL PROTECTED]>' LibClamAV debug: Deal with header Received: from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX]) LibClamAV debug: parseEmailHeader 'Received: from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX])' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX])' LibClamAV debug: Discarding unwanted argument 'by virus.destination.com (8.12.8p1/8.12.8av) with SMTP id i38FIVa7017841' LibClamAV debug: Discarding unwanted argument 'for <[EMAIL PROTECTED]>' LibClamAV debug: Discarding unwanted argument 'Thu, 8 Apr 2004 11' LibClamAV debug: Discarding unwanted argument '18' LibClamAV debug: Discarding unwanted argument '31 -0400 (EDT)' LibClamAV debug: Discarding unwanted argument '(envelope-from [EMAIL PROTECTED])' LibClamAV debug: Deal with header Date: Thu, 8 Apr 2004 11:18:31 -0400 (EDT) LibClamAV debug: parseEmailHeader 'Date: Thu, 8 Apr 2004 11:18:31 -0400 (EDT)' LibClamAV debug: parseMimeHeader: cmd='Date', arg=' Thu, 8 Apr 2004 11:18:31 -0400 (EDT)' LibClamAV debug: Deal with header Message-Id: <[EMAIL PROTECTED]> LibClamAV debug: parseEmailHeader 'Message-Id: <[EMAIL PROTECTED]>' LibClamAV debug: parseMimeHeader: cmd='Message-Id', arg=' <[EMAIL PROTECTED]>' LibClamAV debug: Deal with header Received: (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 -0000 LibClamAV debug: parseEmailHeader 'Received: (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 -0000' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 -0000' LibClamAV debug: Deal with header Delivered-To: [EMAIL PROTECTED] LibClamAV debug: parseEmailHeader 'Delivered-To: [EMAIL PROTECTED]' LibClamAV debug: parseMimeHeader: cmd='Delivered-To', arg=' [EMAIL PROTECTED]' LibClamAV debug: Deal with header Received: (qmail 9254 invoked from network); 8 Apr 2004 15:22:37 -0000 LibClamAV debug: parseEmailHeader 'Received: (qmail 9254 invoked from network); 8 Apr 2004 15:22:37 -0000' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' (qmail 9254 invoked from network); 8 Apr 2004 15:22:37 -0000' LibClamAV debug: Deal with header Received: from virus.origin.com (HELO computername) (80.14.177.85) LibClamAV debug: parseEmailHeader 'Received: from virus.origin.com (HELO computername) (80.14.177.85)' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' from virus.origin.com (HELO computername) (80.14.177.85)' LibClamAV debug: Discarding unwanted argument 'by virus.relay.com with SMTP' LibClamAV debug: Discarding unwanted argument '8 Apr 2004 15' LibClamAV debug: Discarding unwanted argument '22' LibClamAV debug: Discarding unwanted argument '37 -0000' LibClamAV debug: Deal with header From: "juan" <[EMAIL PROTECTED]> LibClamAV debug: parseEmailHeader 'From: "juan" <[EMAIL PROTECTED]>' LibClamAV debug: parseMimeHeader: cmd='From', arg=' "juan" <[EMAIL PROTECTED]>' LibClamAV debug: Deal with header Subject: Re: sorry we can't go out again, size does matter to me! LibClamAV debug: parseEmailHeader 'Subject: Re: sorry we can't go out again, size does matter to me!' LibClamAV debug: parseMimeHeader: cmd='Subject', arg=' Re: sorry we can't go out again, size does matter to me!' LibClamAV debug: Deal with header MIME-Version: 1.0 LibClamAV debug: parseEmailHeader 'MIME-Version: 1.0' LibClamAV debug: parseMimeHeader: cmd='MIME-Version', arg=' 1.0' LibClamAV debug: Deal with header Content-Type: multipart/mixed; boundary="----------QCD72W794QIH7W" LibClamAV debug: parseEmailHeader 'Content-Type: multipart/mixed; boundary="----------QCD72W794QIH7W"' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' multipart/mixed; boundary="----------QCD72W794QIH7W"' LibClamAV debug: messageSetMimeType: ' multipart' LibClamAV debug: Add arguments ' boundary="----------QCD72W794QIH7W"' LibClamAV debug: Add argument 'boundary=----------QCD72W794QIH7W' LibClamAV debug: Deal with header To: undisclosed-recipients:; LibClamAV debug: parseEmailHeader 'To: undisclosed-recipients:;' LibClamAV debug: parseMimeHeader: cmd='To', arg=' undisclosed-recipients:;' LibClamAV debug: Deal with header X-IMAPbase: 1081463642 1 LibClamAV debug: parseEmailHeader 'X-IMAPbase: 1081463642 1' LibClamAV debug: parseMimeHeader: cmd='X-IMAPbase', arg=' 1081463642 1' LibClamAV debug: Deal with header Status: RO LibClamAV debug: parseEmailHeader 'Status: RO' LibClamAV debug: parseMimeHeader: cmd='Status', arg=' RO' LibClamAV debug: Deal with header X-Status: LibClamAV debug: parseEmailHeader 'X-Status:' LibClamAV debug: Deal with header X-Keywords: LibClamAV debug: parseEmailHeader 'X-Keywords:' LibClamAV debug: Deal with header X-UID: 1 LibClamAV debug: parseEmailHeader 'X-UID: 1' LibClamAV debug: parseMimeHeader: cmd='X-UID', arg=' 1' LibClamAV debug: Deal with header LibClamAV debug: End of header information LibClamAV debug: parseEmailHeaders: calling textDestroy LibClamAV debug: parseEmailHeaders: return LibClamAV debug: in parseEmailBody(nBlobs = 0) LibClamAV debug: Parsing mail file LibClamAV debug: mimeType = 5 LibClamAV debug: found ----------QCD72W794QIH7W in ------------QCD72W794QIH7W LibClamAV debug: Now read in part 0 LibClamAV debug: parseEmailHeader 'Content-Type: text/plain; charset=us-ascii' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' text/plain; charset=us-ascii' LibClamAV debug: messageSetMimeType: ' text' LibClamAV debug: Add arguments ' charset=us-ascii' LibClamAV debug: Discarding unwanted argument 'charset=us-ascii' LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: 7bit' LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' 7bit' LibClamAV debug: Encoding type is "7bit" LibClamAV debug: found ----------QCD72W794QIH7W in ------------QCD72W794QIH7W LibClamAV debug: Part 0 has 3 lines LibClamAV debug: Now read in part 1 LibClamAV debug: parseEmailHeader 'Content-Type: application/x-msdownload; name="09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr"' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' application/x-msdownload; name="09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr"' LibClamAV debug: messageSetMimeType: ' application' LibClamAV debug: Add arguments ' name="09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr"' LibClamAV debug: Add argument 'name=09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr' LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: base64' LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' base64' LibClamAV debug: Encoding type is "base64" LibClamAV debug: parseEmailHeader 'Content-Disposition: attachment; filename="09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr"' LibClamAV debug: parseMimeHeader: cmd='Content-Disposition', arg=' attachment; filename="09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr"' LibClamAV debug: Add argument 'filename="09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr"' LibClamAV debug: found ----------QCD72W794QIH7W in ------------QCD72W794QIH7W-- LibClamAV debug: Part 1 has 927 lines LibClamAV debug: Now read in part 2 LibClamAV debug: Empty part LibClamAV debug: The message has 3 parts LibClamAV debug: Find out the multipart type(mixed) LibClamAV debug: Mixed message with 3 parts LibClamAV debug: Mixed message part 0 is of type 6 LibClamAV debug: Mixed message text part disposition "" LibClamAV debug: Adding part to main message LibClamAV debug: Mixed message part 1 is of type 1 LibClamAV debug: blobSetFilename: 09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr LibClamAV debug: Mixed message part 2 is of type 0 LibClamAV debug: in parseEmailBody(nBlobs = 1) LibClamAV debug: 1 attachments found LibClamAV debug: Saving attachment in /var/tmp//b9dc5b68cec4894e/09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scr LibClamAV debug: Saving attachment as /var/tmp//b9dc5b68cec4894e/09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scrhO6jxP (52737 bytes long) LibClamAV debug: blobDestroy LibClamAV debug: parseEmailBody() returning 1 LibClamAV debug: cli_mbox returning 0 LibClamAV debug: Scanning /var/tmp//b9dc5b68cec4894e/09-11- PENSYLVANIE- CVR- VERSLAG!!!!!!!.htm.scrhO6jxP LibClamAV debug: Worm.Bugbear.C virus found in descriptor 7. malware.1: Worm.Bugbear.C FOUND ----------- SCAN SUMMARY ----------- Known viruses: 21042 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.05 MB I/O buffer size: 131072 bytes Time: 1.145 sec (0 m 1 s) ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
