-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fermín Galán Márquez wrote: > Hello, > > My name is Fermín Galán. I'm a newcomer in the list, so please > forgive me if I ask some stupid questions :) > > I'm involved in a forensic analysis of a Windows system. I have > extracted the cracked disk particion and mounting it in the > GNU/Linux system where I'm performing the analysis. One of the > steps is to search for viruses and I'm using clamav to do it. > > It seems (manpage) that clamscan is able to search inside .zip and > .rar files, right? However, I would like to know also if the tool > is powerfull enough in order to search inside attachment files in > mails that are stored in .dbx files (.dbx is the mailbox format > that Outlook Express uses) and .pst files (uses by Outlook). There > are several .dbx and .pst in the system I'm analysing and I suspect > that some of them may content a virus in a mail attachment. > > Otherwise, is there any workarround? (maybe a tool that extracts > attaches in mails in a .dbx to plain files and then using clamscan > on them) > > Any information/help is really welcome... Thanks in advance! > > (I've searched the list archives regarding this topic, but I didn't > find anything; however, if I'm wrong and this topic has been > already treated, please provide me a URL to the thread or > discussion) > > Best regards, > > -------------------- Fermín Galán Márquez CTTC - Centre Tecnològic > de Telecomunicacions de Catalunya Parc Mediterrani de la > Tecnologia, Av. del Canal Olímpic s/n, 08860 Castelldefels, Spain > Room 1.02 Tel : +34 93 645 29 12 Fax : +34 93 645 29 01 Email > address: [EMAIL PROTECTED] >
I'm not sure ClamAV is the right tool for you. I doubt that ClamAV scan scan inside pst-files, you need the MAPI-interface for that. Also, I don't think dbx files are supported either, but it still might be possible for clam to recognize viruses in them. I would guess that your best bet is going for a scanner (actually, scanners I you want to do a thorough job) that has Windows as its native platform (ClamAV is designed for *nix) and doing it from a Windows environment (which would allow you to use the MAPI-interface to scan inside the pst's). But it really depends on what kind of system and compromise (accidental or professionally targeted) you're dealing with. Kind Regards, Sander Holthaus -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFESPj9Vf373DysOTURAmQ7AKDzXQ1478rKpN3pWftIRW345dM6kACg4LIl EPykvWn47rg8rEEBsyQeLaA= =GPcb -----END PGP SIGNATURE----- _______________________________________________ http://lurker.clamav.net/list/clamav-users.html