Discussion:
Can clanscan scan attachments in mails in .dbx or .pst files?
Fermín Galán Márquez
2006-04-21 12:35:28 UTC
Permalink
Hello,

My name is Fermín Galán. I'm a newcomer in the list, so please forgive me if
I ask some stupid questions :)

I'm involved in a forensic analysis of a Windows system. I have extracted
the cracked disk particion and mounting it in the GNU/Linux system where I'm
performing the analysis. One of the steps is to search for viruses and I'm
using clamav to do it.

It seems (manpage) that clamscan is able to search inside .zip and .rar
files, right? However, I would like to know also if the tool is powerfull
enough in order to search inside attachment files in mails that are stored
in .dbx files (.dbx is the mailbox format that Outlook Express uses) and
.pst files (uses by Outlook). There are several .dbx and .pst in the system
I'm analysing and I suspect that some of them may content a virus in a mail
attachment.

Otherwise, is there any workarround? (maybe a tool that extracts attaches in
mails in a .dbx to plain files and then using clamscan on them)

Any information/help is really welcome... Thanks in advance!

(I've searched the list archives regarding this topic, but I didn't find
anything; however, if I'm wrong and this topic has been already treated,
please provide me a URL to the thread or discussion)

Best regards,

--------------------
Fermín Galán Márquez
CTTC - Centre Tecnològic de Telecomunicacions de Catalunya
Parc Mediterrani de la Tecnologia, Av. del Canal Olímpic s/n, 08860
Castelldefels, Spain
Room 1.02
Tel : +34 93 645 29 12
Fax : +34 93 645 29 01
Email address: ***@cttc.es

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Sander Holthaus
2006-04-21 15:23:41 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Fermín Galán Márquez
Hello,
My name is Fermín Galán. I'm a newcomer in the list, so please
forgive me if I ask some stupid questions :)
I'm involved in a forensic analysis of a Windows system. I have
extracted the cracked disk particion and mounting it in the
GNU/Linux system where I'm performing the analysis. One of the
steps is to search for viruses and I'm using clamav to do it.
It seems (manpage) that clamscan is able to search inside .zip and
.rar files, right? However, I would like to know also if the tool
is powerfull enough in order to search inside attachment files in
mails that are stored in .dbx files (.dbx is the mailbox format
that Outlook Express uses) and .pst files (uses by Outlook). There
are several .dbx and .pst in the system I'm analysing and I suspect
that some of them may content a virus in a mail attachment.
Otherwise, is there any workarround? (maybe a tool that extracts
attaches in mails in a .dbx to plain files and then using clamscan
on them)
Any information/help is really welcome... Thanks in advance!
(I've searched the list archives regarding this topic, but I didn't
find anything; however, if I'm wrong and this topic has been
already treated, please provide me a URL to the thread or
discussion)
Best regards,
-------------------- Fermín Galán Márquez CTTC - Centre Tecnològic
de Telecomunicacions de Catalunya Parc Mediterrani de la
Tecnologia, Av. del Canal Olímpic s/n, 08860 Castelldefels, Spain
Room 1.02 Tel : +34 93 645 29 12 Fax : +34 93 645 29 01 Email
I'm not sure ClamAV is the right tool for you. I doubt that ClamAV
scan scan inside pst-files, you need the MAPI-interface for that.
Also, I don't think dbx files are supported either, but it still might
be possible for clam to recognize viruses in them.

I would guess that your best bet is going for a scanner (actually,
scanners I you want to do a thorough job) that has Windows as its
native platform (ClamAV is designed for *nix) and doing it from a
Windows environment (which would allow you to use the MAPI-interface
to scan inside the pst's). But it really depends on what kind of
system and compromise (accidental or professionally targeted) you're
dealing with.

Kind Regards,
Sander Holthaus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFESPj9Vf373DysOTURAmQ7AKDzXQ1478rKpN3pWftIRW345dM6kACg4LIl
EPykvWn47rg8rEEBsyQeLaA=
=GPcb
-----END PGP SIGNATURE-----

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Fermín Galán Márquez
2006-04-21 15:57:25 UTC
Permalink
Dear Sanders,

First of all, thank you for your interest! :)
I'm not sure ClamAV is the right tool for you. I doubt that ClamAV scan
scan
inside pst-files, you need the MAPI-interface for that.
Also, I don't think dbx files are supported either, but it still might be
possible for clam to recognize viruses in them.
I guest it is possible to scan inside dbx as long as files in dbx are stored
in "raw" format (actually, I don't know). However, if dbx implements a UNIX
mailbox-like format for attachemnt (that is, a text transcodification of the
file, like base84) I guest clamavscan wouldn't able to search for virus (it
would need to transcode the text encoding of the "raw" format of the
attached file).
I would guess that your best bet is going for a scanner (actually,
scanners I
you want to do a thorough job) that has Windows as its native platform
(ClamAV is designed for *nix) and doing it from a Windows environment
(which
would allow you to use the MAPI-interface to scan inside the pst's). But
it
really depends on what kind of system and compromise (accidental or
professionally targeted) you're dealing with.
I do forensics for hobby, it isn't a professional target.

You are right, but given that I'm analysng a Windows post-mortem filesystem
from a GNU/Linux enviroment is difficult to execute a Windows-native
scanner. Maybe should I change my analysis enviroment (from GNU/Linux ->
Windows :)

However, although I don't know the clamavscan code architecture, from the
clavmscan code point of view, a .dbx should be more or less like a .zip and
.rar: a file (with a given coding) that stores files inside that need to be
analysed.

Maybe a patch could be developed inspired in the .zip/.rar processing code.
I don't know if this is the right place for such discussion (or even if I
would have the time/expertise to develop the patch in the case I get all the
needed information :), but this would require two pieces of information:

- Which is the part of the code that implements the .zip/.rar analysis?
- Documentation about .dbx format (maybe difficult, because Microsoft
doesn't use to document his file formats)

Again, any piece of help/information is welcome!

Best regards,

--------------------
Fermín Galán Márquez
CTTC - Centre Tecnològic de Telecomunicacions de Catalunya
Parc Mediterrani de la Tecnologia, Av. del Canal Olímpic s/n, 08860
Castelldefels, Spain
Room 1.02
Tel : +34 93 645 29 12
Fax : +34 93 645 29 01
Email address: ***@cttc.es

PD. I'm focussing in .dbx, not in .pst (it seems to be a complexer file
format, and, actually, the mailbox files that I have in my Windows
filesystem are all .dbx).

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
c***@mikecappella.com
2006-04-21 16:29:56 UTC
Permalink
Post by Sander Holthaus
Post by Sander Holthaus
I would guess that your best bet is going for a scanner (actually,
scanners I
Post by Sander Holthaus
you want to do a thorough job) that has Windows as its
native platform
Post by Sander Holthaus
(ClamAV is designed for *nix) and doing it from a Windows
environment
(which
Post by Sander Holthaus
would allow you to use the MAPI-interface to scan inside
the pst's).
Post by Sander Holthaus
But
it
Post by Sander Holthaus
really depends on what kind of system and compromise (accidental or
professionally targeted) you're dealing with.
I do forensics for hobby, it isn't a professional target.
You are right, but given that I'm analysng a Windows
post-mortem filesystem from a GNU/Linux enviroment is
difficult to execute a Windows-native scanner. Maybe should I
change my analysis enviroment (from GNU/Linux -> Windows :)
Have a look at:
http://alioth.debian.org/projects/libpst/


MrC


_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Fermín Galán
2006-04-23 12:21:00 UTC
Permalink
Hi,
Post by c***@mikecappella.com
Post by Fermín Galán Márquez
You are right, but given that I'm analysng a Windows
post-mortem filesystem from a GNU/Linux enviroment is
difficult to execute a Windows-native scanner. Maybe should I
change my analysis enviroment (from GNU/Linux -> Windows :)
http://alioth.debian.org/projects/libpst/
Thanks! This could be useful for .pst files. For .dbx I've found the
following reference (althought it seems unmantained since April, 2002):
http://oedbx.aroh.de/

Best regards,

------
Fermín



_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Loading...