On Mon, 2007-03-12 at 11:31 +0100, Pascal Duchatelle wrote:
Hi there,
sorry to bother you but I am new to ClamAV (on fedora core 6). I ran
clamscan on my laptop and got a message telling me that I have 3 files
infected.
One is in my mail . I browed the FAQ and find a way supposed (by using
the --debug option) to tell the number of the infected message so that I
could get rid of it.
First : I ran the clamscan --debug -l fich -r / command in a
console. Where should I find the line telling me which of my messages is
infected ? In the console or ine the fich file given in the command ?
But maybe it does not work with thunderbird.
If it is in the console, then I have another problem because during the
debug process there are a bunch of info scroling down the screeen at
incredible speed, and after a moment I don't know why but the characters
go wild (except numbers) so that I cannot read anything on the screen.
Of course I could delete the entire content of the mail box (by the way
would it be enough action taken ? because nowhere in the manual it is
said how to handle infected files (although in the FAQ it is hinted that
desinfecting such files would be mainly a waste of energy...) ). This
would waste me a lot of valuable messages that I keep, but more I would
not know where the infected message comes from (for future precaution).
You could split it into separate messages using formail, scan the
individual messages and then recombine the uninfected ones.
Alternatively you could use a MUA to split your mail into 2 folders,
scan them, split the infected one. ye olde binary search :-)
The second file infected is in my windows partition under the root
directory (I got this result :media/hda2/pagefile.sys:
Exploit.HTML.MHTRedir-8 FOUND). hda2 is my windows partition. This file
is 1.3G large (from what nautilus sees/says). Again is simply deleting
enough ? I s it usually a windows file ?
pagfile.sys is your swap file. If your virus was ever swapped out, it'd
make sense to find it there.
You should be able to delete it, windows will recreate it.
You need to turn off swap first, (probably) reboot, delete the file,
turn swap back on and reboot again.
Is deleting it enough?
My advice is to nuke infected systems. Even benign programs rarely
uninstall cleanly; malware is nasty and designed not to go quietly.
The third one is more confusing to me since it is a zipped file that I
donwloaded from the US Samsung site when I tried to upgrade my Yepp 920
studio and firmware (mp3 player interface). The scan tells me that it is
an oversized archive. Is there a way for clamAV to be sure of that (I
mean in a MD5 sum sort of way) ? Because it is only 50Mo.
oversized archives are also known as compression bombs. You take a
file with a few gazzilion NULL's (easy to do on a filesystem with sparse
file support) and compress it.
The victim tries to unzip it to check for viruses and nukes their free
disk space.
I don't know which exactly how clamAV check for these, but sometimes
inncent files are tagged (files that really do have fantastic
compression ratios).
Unzip the file (preferably to a safe partition) and scan the resultant
files.
Thank you for your responses and advices.
Thomas
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html