Re: [newbie] Virus Program seems to be missing vital component.
On Monday 03 January 2005 17:30, SnapafunFrank wrote: > > If you run a local copy of an MTA like Postfix, > >and route your ISP mail through that local MTA, you can push mail through > > a virus checker prior to local delivery. > > Exactly what I believe ought to be available always. Let the more > advanced then override / customize, but start out with this running? There are security concerns involved in starting/running services that aren't explicitly needed. Thus, MTA's do NOT get installed by default in most distributions. > >There would be no need to filter > >outgoing mail with Linux, because the only way that you could send a virus > >out would be to manually attach the virus to your mail and I assume that > > you are not going to do that unless it is intentional. > > Does this cover email simply "Forwarded " also? Such usually include > attachments I believe. Well, "forwarded" messages implies that you "received" the message in the first place. If it is scanned coming in, I hardly think scanning it a second time on the way out will provide any additional level of security. > Not really after doing something beyond newbie level, it's just that the > first thing anyone new to any OS would want to do, is to set up an email > client, and here in Linux, making this one thing really simple and > educational, may help first time newbies get started with some form of > achievement 'tucked under their belt'. I assume that is why the KDE developers included the anti-virus wizard that searches for and then sets up anti-virus scanning for the user. If you aren't using Kmail, you might want to give it a look. If your particular email client doesn't support antivirus scanning, you might consider asking the developers to include it. However, you should keep in mind that given the platform, antivirus scanning for Linux mail clients is probably VERY low on anyone's list of things to do. As has been pointed out, viruses are not really a serious threat with Linux and Linux mail client scanning does NOTHING to stop virus propagation to Windows platforms, thus it is basically an answer looking for a problem. So, scanning from the MTA side is documented and many of us, including myself, do it because some of our users might be using Windows and we don't want to contribute to the virus/worm problem. Scanning from the Linux mail client side is pretty much unnecessary and pointless, thus, no one has spent much time documenting it or making it easy. For myself, I can think of more useful things to do with my time than document a process that is unnecessary and pointless simply because some Windows users might think it a good thing to have because they have to do it using Windows. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
Bryan Phinney wrote: On Sunday 02 January 2005 20:01, SnapafunFrank wrote: What I had in mind is that a " onboard " mail client be established that would allow any email client to get the email via it, appoint klamav to check the email coming through and going out at this point - basically all email passes " this way ". Similar to the 'server' capabilities of AVG7 Pro that I use when I visit my windows installation. Interested? If you mean a new project, I figured I would mention to you that Linux has this capability built in. Not a new project necessarily - but a helping hand to get what is at present available, up and running. If you run a local copy of an MTA like Postfix, and route your ISP mail through that local MTA, you can push mail through a virus checker prior to local delivery. Exactly what I believe ought to be available always. Let the more advanced then override / customize, but start out with this running? There would be no need to filter outgoing mail with Linux, because the only way that you could send a virus out would be to manually attach the virus to your mail and I assume that you are not going to do that unless it is intentional. Does this cover email simply "Forwarded " also? Such usually include attachments I believe. I know, quite a hunk of system 'invasion' is because of the interface between the chair and the keyboard, so the only way the stop it is to educate, and setting up an anti-virus environment within linux just may well get that education started - especially when it requires that the user interact with things. I haven't done it, but I also assume that you can use procmail and clamav to push mail through a virus checker prior to local delivery as well. I imagine that you can use Kmail's anti-virus wizard to do the same thing. However, most Linux machines would probably do this at the MTA level, whether local or not, rather than trying to build a whole new project at the client level. Not really after doing something beyond newbie level, it's just that the first thing anyone new to any OS would want to do, is to set up an email client, and here in Linux, making this one thing really simple and educational, may help first time newbies get started with some form of achievement 'tucked under their belt'. And, as an aside, any reliance on a tag that says that a mail has been virus scanned is really VERY misguided, since such tags can be spoofed very easily, and in fact, several worms spoof exactly such tags in their mail. Agreed - but it seems to make many happy - hence my endeavours to get them into Linux so that they can start to understand what the realities truly are. Mind, the tag doesn't need to be virus specific, it could reflect what has actually been done so as to pacify sceptics a little, albeit sender specific. So, to get started, how about we build on the following: Setting up a safe email account on a stand alone machine. ( I hope to expand the following with the help of members here, to actually take newbies through the process one step at a time.) 1. Set up a MTA program i) Configure an account that handles email both to and from your ISP 2. Set up a anti-virus program i) Configure the MTA program to feed email through the anti-virus program 3. Choose any email client you prefer i) Set up an account that retrieves and delivers email through the MTA program. I believe that an example setup using mandrake specific package availability first with pointers to alternatives ought to be included. My aim here is to get such a email setup up and running by the first time newbie and then encourage them to try their own customization. One of the big put-offs I see when attempting to interest others in Linux, is the requirement to RTFM. Yes, they still need to do that, but let's get them started USING Linux. Again - Interested? If so, I ought to start a new thread so that we can find the most suitable way of dealing with the initial problem that started this thread. As to the original posting, would forwarding email to yourself, using such as setup, help resolve your problem - re retention of specific emails? -- Newbie Seeking USER_FUNCTIONALITY always! Regards SnapafunFrank Big or small, a challenge requires the same commitment to resolve. Registered Linux User # 324213 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
On Sunday 02 January 2005 20:01, SnapafunFrank wrote: > What I had in mind is that a " onboard " mail client be established that > would allow any email client to get the email via it, appoint klamav to > check the email coming through and going out at this point - basically > all email passes " this way ". > > Similar to the 'server' capabilities of AVG7 Pro that I use when I visit > my windows installation. > Interested? If you mean a new project, I figured I would mention to you that Linux has this capability built in. If you run a local copy of an MTA like Postfix, and route your ISP mail through that local MTA, you can push mail through a virus checker prior to local delivery. There would be no need to filter outgoing mail with Linux, because the only way that you could send a virus out would be to manually attach the virus to your mail and I assume that you are not going to do that unless it is intentional. I haven't done it, but I also assume that you can use procmail and clamav to push mail through a virus checker prior to local delivery as well. I imagine that you can use Kmail's anti-virus wizard to do the same thing. However, most Linux machines would probably do this at the MTA level, whether local or not, rather than trying to build a whole new project at the client level. And, as an aside, any reliance on a tag that says that a mail has been virus scanned is really VERY misguided, since such tags can be spoofed very easily, and in fact, several worms spoof exactly such tags in their mail. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
On Sun, 02 Jan 2005 11:20:43 +, Graham Watkins wrote: > deedee E wrote: > > > > I confess to some confusion about your problem. Is there some > > reason you are forced to execute the worm-infested e-mail while > > running Windows? Why not just treat it like junk mail and delete > > it? Isn't it junk mail? > > I'm not executing anything. I'm not doing anything with mail in > windows. I'm not treating it as junk mail because these worms are > not (visibly) attached to any individual mail. They are attached > to the mail folders in my personal Mozilla (and now Evolution) > settings. This is what I get from a Clamav scan: As far as I can tell, the mystery from your perspective is that these worms have somehow gotten into your Inbox folder and you're worried that you can't get them out. I can hear your frustration, but understand ours. There is no mystery here. Read on. > .evolution/mail/local/Inbox: Worm.Bagle.AP FOUND > .evolution/mail/local/Inbox.sbd/Newbie: Worm.SomeFool.P FOUND > (rest of scan snipped) > --- SCAN SUMMARY --- > Known viruses: 25253 > Scanned directories: 31 > Scanned files: 59 > Infected files: 2 > Data scanned: 62.38 MB > I/O buffer size: 131072 bytes > Time: 76.410 sec (1 m 16 s) > [EMAIL PROTECTED] graham]$ Your system is telling you in no uncertain terms where these worms are hanging out, i.e., /.evolution/mail/local/Inbox and /.evolution/mail/local/Inbox.sbd/newbie:. Take Anne's advice about emptying your Trash and compacting your mailboxes. Then, run the scan again. If the worms still appear, then take the advice I gave in my previous post on this, and open your favorite text editor -- kate, kwrite, joe, ed, emacs, vi -- it doesn't matter. Go to the folder Inbox and open each file you find there in the text editor. It doesn't matter if your mail is in mbox or mdir format, they are both human readable using a text editor. Check for any messages that include binaries, i.e., it looks like garbage and you can't read it. Note in the header of each of those files Content-Type, From, Subject, and Date. E-mail headers are always in plain text. Go back to Evolution and look in your Inbox for those particular e-mails. Most people have Sender, Subject and Date showing so they should be very easy to spot. Open in Evolution the ones you noted with the binary formats. You now should be able to see what the attachment is as well as why you kept the post. If you delete the affected posts, that should end your problem. Let's say, however, that you still don't find anything. Then, your AV software is giving you false positives. Worms, viruses, and so forth do not live in limbo. There cannot be a mysterious presence. They are always connected with one or more files (even on Windows systems). They are visible if you know where to look. Go to Symantec or one of the other sites that provides this kind of information. They will tell you exactly how those worms act, which files they leave in their wake, and where they are left on a system. Do a find on your computer for the file names that the AV site says the worms use, if you're still concerned after reading what the AV sites have to say. The malcode must be in individual files which can be removed individually. > There are no dodgy files .exe, .com, .pif or otherwise. If they > had been attached to individual mails, I would have known about > them already. I thought that I had made this clear - apparently > not. > The problem as I see it is to find some way of disinfecting these > files *without having to wipe all my existing mail*. This is why > I was asking about the bug in Klamav which prevents me from > scanning individual mails in Evolution. I doubt that there is such a bug in Klamav. I don't think it was ever intended to do what you want, i.e., scan mail in an MUA (in this case Evolution). It's my belief that you're using it for a different purpose than it was created for. I think it's supposed to scan mail in an MTA. However, I won't swear to that because I don't use the software. It is possible that the affected messages are not able to be disinfected, i.e., they may only contain the worm and nothing else, so the individual file/post must be deleted to get rid of the attachment containing the worm. Mdir mailboxes save the messages individually; mbox mailboxes append each new message to the end of the previous one for storage. However, both kinds of mailboxes allow you to remove messages individually using your MUA. You don't have to delete all the mail in a mailbox to get rid of individual problem posts. A folder cannot harbor a worm. Folders hold files. Files can harbor worms. > My Windows setup has a fairly regularly updated Norton AV on it > but life's too short to boot into Windows just to run a scan - > that's one of the reasons I installed Clamav/Klamav. The rpm > version of Klamav is quite old (0.6) and is giving me the > problem, i.e. not installing Klammail. There is a much newer > ve
Re: [newbie] Virus Program seems to be missing vital component.
OK I have been following this thread to hopefully find a suitable way of appeasing those that call on me to help them with their SOHO setups. ( Myself included. ) How about we attack this problem by starting over so as to attempt to save relevant emails that the original poster is trying to save. I thought that a simply HOWTO for the newbie ( again, me included ) would be of great benefit here. What I had in mind is that a " onboard " mail client be established that would allow any email client to get the email via it, appoint klamav to check the email coming through and going out at this point - basically all email passes " this way ". Similar to the 'server' capabilities of AVG7 Pro that I use when I visit my windows installation. This would then allow you to 'Forward" all your emails back to yourself knowing that klamav will check them all - I think, allowing for you to manage what gets done. The small businesses I deal with here feel confident ( albeit naive at times ) when they see my emails posted from windows because of the declaration at the end saying about " virus free ". Such a declaration could be inclusive of the agent checking emails and hopefully over time, get the same acceptance from recipients that the windows world gets now. Hey! We don't get bothered by windows virii very much, but we can pass them on. To sum up, An email agent that rules the in/out email for a machine, that any av can check and act upon at that point, allowing you to use any email client you wish because your accounts would be addressed to the email client directly. Interested? -- Regards SnapafunFrank Big or small, a challenge requires the same commitment to resolve. Registered Linux User # 324213 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
On Sunday 02 January 2005 12:43 pm, Anne Wilson wrote: > > There are no dodgy files .exe, .com, .pif or otherwise. > > The problem there is that virus writers realise that we now recognise > these, so they use a variety of tricks to hide the .exe or whatever. I > think it goes something like 'virusedemail.jpg .exe' The mail would > display the name 'virusedemail.jpg' but not the '.exe' because of the > space. (Speaking only from memory - and there are probably lots of other > tricks anyway.) the other day I received, from a known address, an email with a .EML.zip. It smelt like virus but, being curious, I clicked on it. It dezipped it and I got a warning from Kmail that I was about to execute a program. I only have Mandrake 10 but thought I had gone far enough and deleted the message. Then I noticed 3 new messages in my outbox, no content except Re: I never put them there. I forgot to see to whom they were destined but they would have been harmless anyway. Maryse Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
On Sunday 02 January 2005 06:20, Graham Watkins wrote: > > Yes. I have copies of all three on my Linux system. I also do not use > > Windows for mail. You don't have to run windows to end up with your > > email address being used by someone else who does have Windows and who > > gets infected with a Worm which then tries to propagate to you. > > Erm, I'm not clear what you are trying to tell me here. Are you saying > that it's not really a problem if it's not a windows mail program that's > infected? No, I was pointing out that you don't have to run Windows to end up on the receiving list of Windows viruses. You shouldn't assume that the virus notifications are Linux viruses simply because you run Linux. They are much more likely to be Windows viruses. And, a windows virus is not really a problem on a Linux machine and will not infect anything. > I'll look into this - thanks. Integrating with Postfix is not a problem > as I don't run it. But will it scan mails in Mozilla or Evolution? > Something that will seems to be my only chance of eradicating the > problem without actually having to trash my entire mailbox. Actually, if you have clamav installed, you should be able to run it from the CLI and have it quarantine the viruses in the messages themselves without any problem. Just tell it to scan the /var/spool/mail directory and it should pull them out. However, this is really unnecessary. All you need to do is simply delete the message that has the windows virus attachment. From within Linux. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 Jan 2005 13:42, Graham Watkins wrote: > And it's a pity that no-one knows how to make klammail work properly > because that looked like a pretty good way of dealing with infected mails. > Why not try the kde mailing lists? I presume klammail is a kde product? Anne - -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB1/rmkFAvMr/nNX8RApZ9AJ9+ixAQhMJYBpKIWNt3gf7M+q4V3ACgoh0H cpx0O3Se8FtnM8KFiDKuvc8= =/Ecp -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
Anne Wilson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 Jan 2005 11:43, Anne Wilson wrote: The viruses do not come in on genuine mail. The headers may suggest that they are from a reputable source, but they never are. Many are instantly recognisable as emails that you have not solicited. Delete them. Others claim to come from Microsoft or AV distributors. None of these sources would ever send you an email. Delete them. If you have any messages with *any* attachment other than the MandrakeSoft footer, delete them unless you are *very* sure that they came from a friend with an un-infected box. When you have done all that, compress your mail folder from within Evo, then try the scan again. There is no way that you need to delete all your existing mails if you do all this. I forgot to say - if you 'delete' a message by sending it to the wastebin folder it is not deleted. You must delete it from there as well. (Does shift-delete send it straight there?). Both the inbox and the wastebin must then be compacted. Until they are compacted they are not actually removed - just invisible - and a scan will still find them. After compaction you should be clear. Anne Anne, I do know all this. I might not have your level of knowledge and skill but I have been round the block a few times and know enough about how to deal with viruses that drift into the inbox. What you don't seem to appreciate is that there is a mystery here because there are *no* suspect files attached to anything in my evo inbox. I know because I've checked. Twice. Yet the inbox and newbie files are shown as being infected. My current strategy is to delete all the mail that I know I can live without and run the scan again and see if the worms have gone. (Perhaps I should have called this thread "A Can Of Worms" :-)) I'll let you all know how that goes but it seems to me that even if it solves the problem, it won't have solved the mystery. And it's a pity that no-one knows how to make klammail work properly because that looked like a pretty good way of dealing with infected mails. Cheers, Graham Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 Jan 2005 11:43, Anne Wilson wrote: > > The viruses do not come in on genuine mail. The headers may suggest that > they are from a reputable source, but they never are. Many are instantly > recognisable as emails that you have not solicited. Delete them. Others > claim to come from Microsoft or AV distributors. None of these sources > would ever send you an email. Delete them. If you have any messages with > *any* attachment other than the MandrakeSoft footer, delete them unless you > are *very* sure that they came from a friend with an un-infected box. When > you have done all that, compress your mail folder from within Evo, then try > the scan again. > > There is no way that you need to delete all your existing mails if you do > all this. > I forgot to say - if you 'delete' a message by sending it to the wastebin folder it is not deleted. You must delete it from there as well. (Does shift-delete send it straight there?). Both the inbox and the wastebin must then be compacted. Until they are compacted they are not actually removed - just invisible - and a scan will still find them. After compaction you should be clear. Anne - -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB199ZkFAvMr/nNX8RAp9eAKCMaWANnAsNaA15tav2vHv/Qd9MbQCfdAxo cArD6qEynUjpE6J+9gRsHAc= =ZwIc -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 Jan 2005 11:20, Graham Watkins wrote: > > .evolution/mail/local/Inbox: Worm.Bagle.AP FOUND > .evolution/mail/local/Inbox.sbd/Newbie: Worm.SomeFool.P FOUND > (rest of scan snipped) > --- SCAN SUMMARY --- > Known viruses: 25253 > Scanned directories: 31 > Scanned files: 59 > Infected files: 2 > Data scanned: 62.38 MB > I/O buffer size: 131072 bytes > Time: 76.410 sec (1 m 16 s) > [EMAIL PROTECTED] graham]$ > That sounds like mbox. The reason I thought it would be mdir was that I remember a friend having problems importing his mail, and I thought that was the issue. > > There are no dodgy files .exe, .com, .pif or otherwise. The problem there is that virus writers realise that we now recognise these, so they use a variety of tricks to hide the .exe or whatever. I think it goes something like 'virusedemail.jpg .exe' The mail would display the name 'virusedemail.jpg' but not the '.exe' because of the space. (Speaking only from memory - and there are probably lots of other tricks anyway.) > If they had been > attached to individual mails, I would have known about them already. I > thought that I had made this clear - apparently not. > The problem as I see it is to find some way of disinfecting these files > *without having to wipe all my existing mail*. This is why I was asking > about the bug in Klamav which prevents me from scanning individual mails > in Evolution. > The viruses do not come in on genuine mail. The headers may suggest that they are from a reputable source, but they never are. Many are instantly recognisable as emails that you have not solicited. Delete them. Others claim to come from Microsoft or AV distributors. None of these sources would ever send you an email. Delete them. If you have any messages with *any* attachment other than the MandrakeSoft footer, delete them unless you are *very* sure that they came from a friend with an un-infected box. When you have done all that, compress your mail folder from within Evo, then try the scan again. There is no way that you need to delete all your existing mails if you do all this. > > Are you receiving e-mail that you must open and deal with that also > > contains viruses? And, you must open it in Windows? Is that the > > problem? Like a Word attachment you're expecting from a colleague > > and it turns out to have a virus perhaps. Even then, you can > > safely open it in OO. OO can't execute VBS macros (the carrier of > > viruses in MSOffice files). > > No, no, and no. I know and this isn't the point of my query. > What exactly *is* the point? That might help us deal with this better. I thought you were concerned because virused emails were present in an evo folder while you have a windows dual-boot system. If that is so, it has already been explained to you that windows will not execute the viruses unless you read the mail in windows. > My Windows setup has a fairly regularly updated Norton AV on it At the rate of propagation recently, 'fairly regularly' is not good enough. It needs to be daily, now, to be efficient. > but > life's too short to boot into Windows just to run a scan - so why do it? Run a scan when you boot into Windows to use it - before you connect to the Internet. Don't connect and go to your ISP's portal, but straight to the AV update site and get a compete update. Re-run the scan, and you can do anything you like. I presume that running Norton would not pick up the emails in your Evo folder anyway, as Linux partitions are not read by Windows. > that's one of > the reasons I installed Clamav/Klamav. As it was said earlier - if you don't run a mail server there is little point in installing ClamAV. I only intend doing it because I want to set up a mail server. I've been running Linux exclusively for almost 3 years now, and have never infected anyone, nor has a virus on my system caused me any problems before I discovered how to filter them to make removal easier. Anne - -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB195/kFAvMr/nNX8RAnsGAJ9lQMPnrLjvRvi34RY1M2BbW5z3zwCeJFrF cgVlt7WFEikpcgIwUbiapu0= =Aceg -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
deedee E wrote: > I confess to some confusion about your problem. Is there some reason you are forced to execute the worm-infested e-mail while running Windows? Why not just treat it like junk mail and delete it? Isn't it junk mail? I'm not executing anything. I'm not doing anything with mail in windows. I'm not treating it as junk mail because these worms are not (visibly) attached to any individual mail. They are attached to the mail folders in my personal Mozilla (and now Evolution) settings. This is what I get from a Clamav scan: .evolution/mail/local/Inbox: Worm.Bagle.AP FOUND .evolution/mail/local/Inbox.sbd/Newbie: Worm.SomeFool.P FOUND (rest of scan snipped) --- SCAN SUMMARY --- Known viruses: 25253 Scanned directories: 31 Scanned files: 59 Infected files: 2 Data scanned: 62.38 MB I/O buffer size: 131072 bytes Time: 76.410 sec (1 m 16 s) [EMAIL PROTECTED] graham]$ There are no dodgy files .exe, .com, .pif or otherwise. If they had been attached to individual mails, I would have known about them already. I thought that I had made this clear - apparently not. The problem as I see it is to find some way of disinfecting these files *without having to wipe all my existing mail*. This is why I was asking about the bug in Klamav which prevents me from scanning individual mails in Evolution. Are you receiving e-mail that you must open and deal with that also contains viruses? And, you must open it in Windows? Is that the problem? Like a Word attachment you're expecting from a colleague and it turns out to have a virus perhaps. Even then, you can safely open it in OO. OO can't execute VBS macros (the carrier of viruses in MSOffice files). No, no, and no. I know and this isn't the point of my query. (snipped) Sign up for the security advisories if you're concerned about Linux exploits. Mandrake has a great mailing list for security advisories. There are a number of Linux sites which list advisories for all Open Source software. AV software tends not to include anything that's not actually in the wild. Security advisories come out as soon as a vulnerability is known. For a Linux system, they are much more useful and timely than AV software. This may be worth looking at - thanks. Just to underscore what others have mentioned -- antivirus software (including Linux antivirus software) is looking for Windows viruses. It is really necessary only for Linux mail servers distributing mail to people who may open their mail in Windows. Personally, I've always found it useful for scanning my Windows partitions without going to the trouble of starting Windows. Linux antivirus software also tends to be more expensive than Windows AV software and a bigger headache to install, because it's not really meant for a stand alone system. Have you considered installing one of the many excellent free Windows AV products on your Windows installation, and just boot into Windows once a week to update the definitions? Try Googling for one. My Windows setup has a fairly regularly updated Norton AV on it but life's too short to boot into Windows just to run a scan - that's one of the reasons I installed Clamav/Klamav. The rpm version of Klamav is quite old (0.6) and is giving me the problem, i.e. not installing Klammail. There is a much newer version (0.9) on the Klamav site but it's source code and won't compile on my system. Evidently no-one here has had the Klamav experience. Hope none of you ever need to. Cheers, Graham Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
Bryan Phinney wrote: On Saturday 01 January 2005 09:39, Graham Watkins wrote: Wish it were that simple. I'm not running a mail server with windows clients. This is a dual booting stand alone machine and I never use windows for downloading mail. (In fact I use it as little as possible.) Do the names Worm.bagle.AP, Worm.Somefool.P, SCO.A mean anything here? Yes. I have copies of all three on my Linux system. I also do not use Windows for mail. You don't have to run windows to end up with your email address being used by someone else who does have Windows and who gets infected with a Worm which then tries to propagate to you. Erm, I'm not clear what you are trying to tell me here. Are you saying that it's not really a problem if it's not a windows mail program that's infected? As I mentioned, klamav claims to be able to quarantine messages containing viruses and worms but the component klammail doesn't seem to exist on my system - ideas, anyone? Amavis or Amavis-new. There should be packages available in RPM format. Integrating those with Postfix is a little more difficult but not overly much. However, you can use Amavis without doing the integration and simply let Amavis quarantine the viruses for you. I'll look into this - thanks. Integrating with Postfix is not a problem as I don't run it. But will it scan mails in Mozilla or Evolution? Something that will seems to be my only chance of eradicating the problem without actually having to trash my entire mailbox. Cheers, _ Graham Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
Anne Wilson wrote: I don't use Evo, but IIRC it uses mdir format, which means that each message is in a separate file (mbox puts a whole mail folder into one file). This being so, if you can identify which messages are the infected ones you can safely delete them, leaving all others. Whichever format a mail agent uses, deleting the offending messages, then compacting the folder (in mbox this is very important - if mdir format does it, use it) should leave you in a safe state. OTOH, if you don't read your mail at all in windows you are not going to be propagating the virus anyway. Are you sure about Evo using mdir format - I only seem to have files for mail folders and the virus is residing in these. What the clamav scan show is as follows: .evolution/mail/local/Inbox: Worm.Bagle.AP FOUND .evolution/mail/local/Inbox.sbd/Newbie: Worm.SomeFool.P FOUND (rest of scan snipped) --- SCAN SUMMARY --- Known viruses: 25253 Scanned directories: 31 Scanned files: 59 Infected files: 2 Data scanned: 62.38 MB I/O buffer size: 131072 bytes Time: 76.410 sec (1 m 16 s) [EMAIL PROTECTED] graham]$ If you search for attachments with the extensions .com, .exe and .zip you can probably delete all the infected mails by hand. (From Linux, just to be sure.) If such attachments existed on my system, I would have known about them - and deleted them at the hurry-up. No single mails show any sign of infection. If you want to make it easy for yourself in future, read the TWiki page on setting up PopFile (it exists for windows, too). Training is a doddle, and after, say, 2 days everything should be working really well. You have to hand-classify the first few virus types that it sees, but then it can be set to add [virused] to the headers, and the mail agent can filter them into a separate folder for you. Messages classified: 27,224 Classification errors: 115 Accuracy: 99.57% (Last Reset: Tue Jul 6 14:35:03 2004) Looks interesting, I'll check it out. Thanks Do the names Worm.bagle.AP, Worm.Somefool.P, SCO.A mean anything here? Yes, I've heard them all. Some of them exist under more than one name, and the various anti-virus sites will often only list one name. The main thing is not to panic. We can help you set up systems to keep you safe, but virused emails do keep coming. There's nothing you can do about that. Those who run mailservers filter them out at that level, but it's perfectly safe to do it at desktop level. FWIW, I got around 150 virused emails in November - and I don't have the volume of mail that professionals have - all identified, deleted, and the folders compacted. I'm aware that there will always be e-mails with viruses attached. They tend to come in waves - nothing for a while then loads. Usually I just delete them when I get them. The worrying thing here is that what I have picked up doesn't appear to have arrived attached to any individual mail. If it had, I would have spotted it. It is the mysterious nature of the infection - the first I have ever encountered on a Linux box - that has spooked me. I still don't know whether I should quarantine and delete all my mail (a desperate measure indeed) in order to get rid of it. As I mentioned, klamav claims to be able to quarantine messages containing viruses and worms but the component klammail doesn't seem to exist on my system - ideas, anyone? I intend looking at clamav soon, but I can't help you on that atm. Anne There don't seem to be any Clamav/Klamav users in the group. Unless they're still too hungover to respond :-) Cheers, Graham Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
On Sat, 01 Jan 2005 14:39:24 +, Graham Watkins wrote: > Wish it were that simple. I'm not running a mail server with > windows clients. This is a dual booting stand alone machine and > I never use windows for downloading mail. (In fact I use it as > little as possible.) I confess to some confusion about your problem. Is there some reason you are forced to execute the worm-infested e-mail while running Windows? Why not just treat it like junk mail and delete it? Isn't it junk mail? Are you receiving e-mail that you must open and deal with that also contains viruses? And, you must open it in Windows? Is that the problem? Like a Word attachment you're expecting from a colleague and it turns out to have a virus perhaps. Even then, you can safely open it in OO. OO can't execute VBS macros (the carrier of viruses in MSOffice files). If you suspect an e-mail of having a virus and you also feel compelled for some reason to open it before tossing it out, you can do so safely using a text editor. And, that's true for when Windows is running as well. I run several mailing lists and sometimes have to check mail bounced to me by the mailing list software because it trips a filter. When I still used Windows, I would download the mail in Eudora, but view it in WordStar in nondocument mode. Nothing happens when viewing a message in a text editor (notepad works just fine for this purpose, too), but you can see all kinds of stuff (like which IP address it really came from). As others have pointed out, it can only be a problem if Windows is actually running (which cannot be the case on a dual-boot system if Linux is the system running). The same procedures used to handle garbage mail are more than adequate for handling mail with viruses on a Linux system. Sign up for the security advisories if you're concerned about Linux exploits. Mandrake has a great mailing list for security advisories. There are a number of Linux sites which list advisories for all Open Source software. AV software tends not to include anything that's not actually in the wild. Security advisories come out as soon as a vulnerability is known. For a Linux system, they are much more useful and timely than AV software. Just to underscore what others have mentioned -- antivirus software (including Linux antivirus software) is looking for Windows viruses. It is really necessary only for Linux mail servers distributing mail to people who may open their mail in Windows. Linux antivirus software also tends to be more expensive than Windows AV software and a bigger headache to install, because it's not really meant for a stand alone system. Have you considered installing one of the many excellent free Windows AV products on your Windows installation, and just boot into Windows once a week to update the definitions? Try Googling for one. deedee Registered Linux User #327485 Visit "WordStar & GNU/Linux" http://www.wordstar2.com Also, see WordStar Users Group Community http://www.wordstar2.com/WordStar_Users/index.php -- ___ Find what you are looking for with the Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
On Saturday 01 January 2005 09:39, Graham Watkins wrote: > Wish it were that simple. I'm not running a mail server with windows > clients. This is a dual booting stand alone machine and I never use > windows for downloading mail. (In fact I use it as little as possible.) > > Do the names Worm.bagle.AP, Worm.Somefool.P, SCO.A mean anything here? Yes. I have copies of all three on my Linux system. I also do not use Windows for mail. You don't have to run windows to end up with your email address being used by someone else who does have Windows and who gets infected with a Worm which then tries to propagate to you. > As I mentioned, klamav claims to be able to quarantine messages > containing viruses and worms but the component klammail doesn't seem to > exist on my system - ideas, anyone? Amavis or Amavis-new. There should be packages available in RPM format. Integrating those with Postfix is a little more difficult but not overly much. However, you can use Amavis without doing the integration and simply let Amavis quarantine the viruses for you. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 01 Jan 2005 15:33, Richard Urwin wrote: > > Wish it were that simple. I'm not running a mail server with windows > > clients. This is a dual booting stand alone machine and I never use > > windows for downloading mail. (In fact I use it as little as > > possible.) > > So long as you do not _read_ mail in Windows you are still safe. If you > need to do so you are probably safe so long as you don't use Outlook. I > would trust Evolution (designed as a mail client) more than Mozilla > (trying to be an IE/Outlook killer), but they are both probably OK. > Just because there are worms in some files on your system it doesn't > mean you are in imminent danger; the worm needs to be executed to do > any harm, and sitting in a mailbox it isn't in an executable state. > I don't use Evo, but IIRC it uses mdir format, which means that each message is in a separate file (mbox puts a whole mail folder into one file). This being so, if you can identify which messages are the infected ones you can safely delete them, leaving all others. Whichever format a mail agent uses, deleting the offending messages, then compacting the folder (in mbox this is very important - if mdir format does it, use it) should leave you in a safe state. OTOH, if you don't read your mail at all in windows you are not going to be propagating the virus anyway. > If you search for attachments with the extensions .com, .exe and .zip > you can probably delete all the infected mails by hand. (From Linux, > just to be sure.) > If you want to make it easy for yourself in future, read the TWiki page on setting up PopFile (it exists for windows, too). Training is a doddle, and after, say, 2 days everything should be working really well. You have to hand-classify the first few virus types that it sees, but then it can be set to add [virused] to the headers, and the mail agent can filter them into a separate folder for you. Messages classified:27,224 Classification errors: 115 Accuracy: 99.57% (Last Reset: Tue Jul 6 14:35:03 2004) > > Do the names Worm.bagle.AP, Worm.Somefool.P, SCO.A mean anything > > here? > Yes, I've heard them all. Some of them exist under more than one name, and the various anti-virus sites will often only list one name. The main thing is not to panic. We can help you set up systems to keep you safe, but virused emails do keep coming. There's nothing you can do about that. Those who run mailservers filter them out at that level, but it's perfectly safe to do it at desktop level. FWIW, I got around 150 virused emails in November - and I don't have the volume of mail that professionals have - all identified, deleted, and the folders compacted. > > As I mentioned, klamav claims to be able to quarantine messages > > containing viruses and worms but the component klammail doesn't seem > > to exist on my system - ideas, anyone? > I intend looking at clamav soon, but I can't help you on that atm. Anne - -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB1tVAkFAvMr/nNX8RAjb/AJ9N5p+y0bU8/JmwAMYE7GVvg2no+QCghZ/r 5yKeBBSlWrSFXDrVVD45Ez4= =cln8 -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
On Saturday 01 Jan 2005 2:39 pm, Graham Watkins wrote: > JR wrote: > > Hi Graham, > > > > I have yet to install clam av, but I just wanted to point out that > > the viruses being detected are most likely windows viruses that > > would pass through a linux system without being able to cause any > > harm. > > > > The reason clam av detects these is because linux is often used as > > a mail server which often has windows clients. > > > > Hope you get your problem resolved, and happy new year! > > > > JR > > Wish it were that simple. I'm not running a mail server with windows > clients. This is a dual booting stand alone machine and I never use > windows for downloading mail. (In fact I use it as little as > possible.) So long as you do not _read_ mail in Windows you are still safe. If you need to do so you are probably safe so long as you don't use Outlook. I would trust Evolution (designed as a mail client) more than Mozilla (trying to be an IE/Outlook killer), but they are both probably OK. Just because there are worms in some files on your system it doesn't mean you are in imminent danger; the worm needs to be executed to do any harm, and sitting in a mailbox it isn't in an executable state. If you search for attachments with the extensions .com, .exe and .zip you can probably delete all the infected mails by hand. (From Linux, just to be sure.) > Do the names Worm.bagle.AP, Worm.Somefool.P, SCO.A mean anything > here? Names don't seem to be as standard as they are supposed to be. I think the rate of detection has overwhelmed the standardisation process. In my experience you don't get good search hits except from the vendor of your anti-virus app. > As I mentioned, klamav claims to be able to quarantine messages > containing viruses and worms but the component klammail doesn't seem > to exist on my system - ideas, anyone? No help here. I afraid. HTH, Happy New Year. -- Richard Urwin Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
I found a variation of SCO.A here http://www.stacken.kth.se/lists/best-forestry/2004-01/msg00157.html it's referenced as Worm.SCO.A Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
Graham Watkins wrote: Do the names Worm.bagle.AP, Worm.Somefool.P, SCO.A mean anything here? As I mentioned, klamav claims to be able to quarantine messages containing viruses and worms but the component klammail doesn't seem to exist on my system - ideas, anyone? I've just done a search on Symantec for these 3 and nothing has come up. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
JR wrote: Hi Graham, I have yet to install clam av, but I just wanted to point out that the viruses being detected are most likely windows viruses that would pass through a linux system without being able to cause any harm. The reason clam av detects these is because linux is often used as a mail server which often has windows clients. Hope you get your problem resolved, and happy new year! JR Wish it were that simple. I'm not running a mail server with windows clients. This is a dual booting stand alone machine and I never use windows for downloading mail. (In fact I use it as little as possible.) Do the names Worm.bagle.AP, Worm.Somefool.P, SCO.A mean anything here? As I mentioned, klamav claims to be able to quarantine messages containing viruses and worms but the component klammail doesn't seem to exist on my system - ideas, anyone? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Virus Program seems to be missing vital component.
Hi Graham, I have yet to install clam av, but I just wanted to point out that the viruses being detected are most likely windows viruses that would pass through a linux system without being able to cause any harm. The reason clam av detects these is because linux is often used as a mail server which often has windows clients. Hope you get your problem resolved, and happy new year! JR On Saturday 01 January 2005 09:11 am, Graham Watkins wrote: > Hi Y'all and a happy new year, > > My first crisis of the year began this morning. I finally got round to > installing clam anti virus and Klamav. My first scan brought up about > half a dozen worms hiding out in my mailboxes. I quarantined the mail > files which cost me all the mail I had stored on mozilla. > > Before deleting the files, I imported them into evolution which I do not > use for downloading mail - dangerous? Possibly, but I wanted to be > able to clean it up using Klamav which purports to use a program called > klammail to quarantine infected mails. However, I cannot set it up to > filter the mail in evolution because the klammail program does not seem > to exist anywhere on my system. > > Anyone know anything about this? It seems a rather urgent situation as > I, like so many others here, had assumed that linux was more or less > immune to this sort of thing and finding this lot came as a bit of a > shock. Is it possible to get klammail to weed out the suspect mails or > should I just bite the bullet and delete the lot? > > Cheers, > > Graham Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] Virus Program seems to be missing vital component.
Hi Y'all and a happy new year, My first crisis of the year began this morning. I finally got round to installing clam anti virus and Klamav. My first scan brought up about half a dozen worms hiding out in my mailboxes. I quarantined the mail files which cost me all the mail I had stored on mozilla. Before deleting the files, I imported them into evolution which I do not use for downloading mail - dangerous? Possibly, but I wanted to be able to clean it up using Klamav which purports to use a program called klammail to quarantine infected mails. However, I cannot set it up to filter the mail in evolution because the klammail program does not seem to exist anywhere on my system. Anyone know anything about this? It seems a rather urgent situation as I, like so many others here, had assumed that linux was more or less immune to this sort of thing and finding this lot came as a bit of a shock. Is it possible to get klammail to weed out the suspect mails or should I just bite the bullet and delete the lot? Cheers, Graham Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com