Dear Sanders, First of all, thank you for your interest! :)
> I'm not sure ClamAV is the right tool for you. I doubt that ClamAV scan scan > inside pst-files, you need the MAPI-interface for that. > Also, I don't think dbx files are supported either, but it still might be > possible for clam to recognize viruses in them. I guest it is possible to scan inside dbx as long as files in dbx are stored in "raw" format (actually, I don't know). However, if dbx implements a UNIX mailbox-like format for attachemnt (that is, a text transcodification of the file, like base84) I guest clamavscan wouldn't able to search for virus (it would need to transcode the text encoding of the "raw" format of the attached file). > I would guess that your best bet is going for a scanner (actually, scanners I > you want to do a thorough job) that has Windows as its native platform > (ClamAV is designed for *nix) and doing it from a Windows environment (which > would allow you to use the MAPI-interface to scan inside the pst's). But it > really depends on what kind of system and compromise (accidental or > professionally targeted) you're dealing with. I do forensics for hobby, it isn't a professional target. You are right, but given that I'm analysng a Windows post-mortem filesystem from a GNU/Linux enviroment is difficult to execute a Windows-native scanner. Maybe should I change my analysis enviroment (from GNU/Linux -> Windows :) However, although I don't know the clamavscan code architecture, from the clavmscan code point of view, a .dbx should be more or less like a .zip and .rar: a file (with a given coding) that stores files inside that need to be analysed. Maybe a patch could be developed inspired in the .zip/.rar processing code. I don't know if this is the right place for such discussion (or even if I would have the time/expertise to develop the patch in the case I get all the needed information :), but this would require two pieces of information: - Which is the part of the code that implements the .zip/.rar analysis? - Documentation about .dbx format (maybe difficult, because Microsoft doesn't use to document his file formats) Again, any piece of help/information is welcome! Best regards, -------------------- Fermín Galán Márquez CTTC - Centre Tecnològic de Telecomunicacions de Catalunya Parc Mediterrani de la Tecnologia, Av. del Canal Olímpic s/n, 08860 Castelldefels, Spain Room 1.02 Tel : +34 93 645 29 12 Fax : +34 93 645 29 01 Email address: [EMAIL PROTECTED] PD. I'm focussing in .dbx, not in .pst (it seems to be a complexer file format, and, actually, the mailbox files that I have in my Windows filesystem are all .dbx). _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
