Instructions for identifying infected emails

Discussions relating to ClamXav

Moderator: Mark

Re: email virus in "recovered messages" folder

Postby alvarnell » Wed 28 Sep 2011 5:46 pm

CCPP wrote:How do I get Clam to look into my "recovered messages" folder on my iMac?
This is not related to the subject. Please start a new topic.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5482
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Don't add a space in the "ClamAV Search"

Postby Darren » Sun 16 Sep 2012 3:47 am

Adding a space after the Infection Name messes up the results.

In the following search results, notice the space immediately following "246"
Search results:
0 hits for 'HTML.Phishing.Bank-246 '


If you remove the space, it will return a hexadecimal code.
Darren
 
Posts: 1
Joined: Sun 16 Sep 2012 3:05 am

Re: Instructions for identifying infected emails

Postby anaheed » Fri 28 Feb 2014 11:17 pm

I realize this thread is now 2 years old. Are the instructions still valid? Because I entered the virus name that ClamXAV gave me in its scan into the database (carefully, with no spaces before or after) and got "0 results." Now what? Thanks for any help you might be able to offer, if anyone's still reading this thread.
anaheed
 
Posts: 2
Joined: Fri 28 Feb 2014 11:05 pm

Re: Instructions for identifying infected emails

Postby alvarnell » Fri 28 Feb 2014 11:32 pm

anaheed wrote:I entered the virus name that ClamXAV gave me in its scan into the database (carefully, with no spaces before or after) and got "0 results.
Please start a new topic using the infection name as the subject. Describe your situation (OS X and ClamXav version and whether you obtained the latter from the AppStore or web site). Do not under any circumstances attempt to move or delete the e-mail until we've determined what it is.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5482
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby MTMabowels » Sat 14 Feb 2015 7:55 pm

I am using ClamXav version 2.7.4.

I'm wondering if the advice in this thread about looking up the Hex to Ascii information and searching out the individual emails listed originally authored by 'Mark' and further instructions relating to automating Mail searches in Sentry and such are still relevant in February 2015?

I had a shock when I read this thread (that I came across whilst researching a problem I have with Apple's Mail v 6.6 and using ClamXav with my Time Machine backup volume). I usually run ClamXav on my internal HDD every now and then. In the past it has found several files such as mentioned in this thread.

The thing is, up to now I have just been selecting them when displayed in ClamXav and using the 'Delete file' option in the Menu bar. After that I have forgotten about them. Today I am running ClamXav on my Time Machine backup volume that is on an external HDD. I also have my iTunes Music files and some other ordinary, non Time Machine, files on this volume too. As I write this, so far ClamXav has found 18 such files including one called "ConduitNPAPPIPPlugin.plugin" on my External backup drive.

I am hoping that someone reading this is going to tell me that my hunch is correct and that selecting 'Delete File' in ClamXav now carries out all of the steps mentioned in this thread and therefore I have being doing the correct thing all along by simply using the 'Delete file' button' (or the 'Quarantine File' prior to deleting them).

Oh by the way, I'm using a Mid-2007 24" iMac running Mac OS 10.8.5.
24" iMac (Mid-2007) currently booting Mac OS 10.8.5 (Mountain Lion). Also a late 2009 iPod Touch running iOS 5 - the last one without a built in camera (and limited to no higher than iOS 5, I'm afraid)
MTMabowels
 
Posts: 1
Joined: Sat 14 Feb 2015 5:37 pm

Re: Instructions for identifying infected emails

Postby alvarnell » Sun 15 Feb 2015 8:40 am

MTMabowels wrote:I'm wondering if the advice in this thread about looking up the Hex to Ascii information and searching out the individual emails listed originally authored by 'Mark' and further instructions relating to automating Mail searches in Sentry and such are still relevant in February 2015?
Absolutely, if you are using an e-mail client that puts all messages into monolithic databases instead of filing each e-mail as a separate file. That includes Eudora, Microsoft Entourage and Outlook, Thunderbird and perhaps others. It has not applied to Apple Mail for a very long time now.

Please post the remainder of your questions to a separate topic since the answers would have no meaning here.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5482
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby alvarnell » Fri 11 Mar 2016 2:38 am

alvarnell wrote:It has not applied to Apple Mail for a very long time now.
Just to be clear about this, there is no longer a need to use the involved procedures originally outlined in this topic if you are using Apple Mail. For any e-mail client that stores messages as individual files, including Apple Mail, the following procedures apply:

This process is due to get easier soon, but in the meantime, getting rid of infected files from your email requires a bit of manual effort.

To find them, click each one in the Infection List in turn and select File menu -> Infection List -> Reveal in Finder (or you can hit command-R as a shortcut).

The file will then be selected in the Finder and you can hit the SPACE bar on your keyboard to open up a preview.

From the preview, you will be able to ascertain the date and time of the email, and you can use that to search for it in Apple's Mail program. Once you find the email in Mail - delete it directly from within Mail.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5482
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby Jim babcock » Thu 24 May 2018 9:31 pm

Hi Al Varnell: I'm Jim Babcock, a user since the dawn of ClamXav.. sometime in eLy 2000's...
no discussion...just wanted to say hello....and that I now live in SanDiego area (Encinitas) to be near my daughter and family.

I still keep up to date w/ Clam.....

BTW, if I installed Malwarebytes on my ver 10.10.5 iMac, what would be any possible interferences? It deals with Ransomware to some extent.

Just askin'

well, keep well....enjoyed all the times we have corresponded

Jim b
PS. ignore the signature lines...haven't updated lately!!
V3.0.1(7220)/0.100.1_102 274.358
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 330
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Re: Instructions for identifying infected emails

Postby alvarnell » Fri 25 May 2018 8:10 am

San Diego...Maybe we'll be in different states if that crazy idea to divide us into thirds passes.

Malwarebytes won't cause any issues unless you allow both it's Real-Time Protection and ClamXAV Sentry to be active. They end up fighting over who gets to scan new files first which usually ties up the CPU unnecessarily. As far as Ransomware is concerned, I don't believe it offers any advantage over ClamXAV and vice versa. The two developers have been friends for many years and still collaborate on new malware findings often. There have only been three known instances of Mac Ransomware to date and they are all fully covered by both packages. If you are worried about a zero day attack, take a look at Patrick Wardle's RansomWhere?. It does tend to show up as a top ten CPU user, but at less than 5% for me. It also alerts when unencryption takes place (which is all I've ever been notified of) so be aware of that. Developer is aware of the issue, but hasn't been able to solve it yet.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5482
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby Jim babcock » Fri 25 May 2018 4:49 pm

Hi Al: Thanx for info on Malwarebytes. I suspected what you told me so I'll leave it alone. However if a newly friend asks me about Mac virus, I point them to Clam.

For VPN, I signed up for PIA, Private Internet Access. use it for my iOS devices primarily. it works ok on my iMac. seems to be a good tech company from UK.

I use my iPad Pro for 99% of what I do now.... so that's why you haven't seen me online lately. But with no anti-virus available ...or even needed on iOS, ......I just don't use iMac much...

Again, great to hear from you..

Jim B
V3.0.1(7220)/0.100.1_102 274.358
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 330
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Re: Instructions for identifying infected emails

Postby Jim babcock » Wed 15 Aug 2018 5:58 pm

HEY AL: After thinking further, I went ahead and installed Malwarebytes on my iMac. So far I see no collisions btw it and Clam. I’m just so uptight about Ransomware, I decided that with Clam PLUS Malwarebytes, I’ll feel more comfortable.
I still backup MacOS onto an external drive that is online only during backup time. I have used Super Duper for years. Never installed Time machine...just didn’t like it.

so if I run into any issues, I’ll let you know.

As Ever. Jim B
PS Upgraded to ClamXAV Version 3. Looks great!
V3.0.1(7220)/0.100.1_102 274.358
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 330
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Re: Instructions for identifying infected emails

Postby alvarnell » Thu 16 Aug 2018 12:48 am

Thanks for the feedback. I ended up paying for Malwarebytes just so I could respond to questions on their forum about the Premium Features, but I keep them turned off in favor of ClamXAV Sentry.

Regarding Ransomware, neither product will be effective in detecting a zero day attack that doesn't use any of the known Mac coded files. Your best bet there would be to install Patrick Wardle's RansomWhere?. Unfortunately it can't tell the difference between encrypting files and decrypting files, so you'll often get false alerts that have to be dismissed, which includes updating ClamXAV definitions, for example.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5482
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby Jim babcock » Thu 16 Aug 2018 1:14 am

Thanks Al: Well, I did install Wardies Ransomwhere? Except I don’t quite understand What I installed. I guess it runs in background ... I see no app name or location for it. But... I did get a message at a recent Clam update time. Is that what you refer to? I’ll send you a screenshot if it occurs again.

It wasn’t clear what action to take if it is a threat OR just a false alert. I’ll update Clam tomorrow and see if it re-appears.

I’ll be back to Forum from time to time.

Oh, does the “Support” feature cover queries we may have on Ver 3+? Since I am on my iPad 95% of the time, I guess I can use the Forum...if you are available... OK?

Best
Jim B
V3.0.1(7220)/0.100.1_102 274.358
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 330
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Re: Instructions for identifying infected emails

Postby alvarnell » Thu 16 Aug 2018 2:08 am

It is a background only process, so there is no app. It launches automatically at boot time and looks for any encryption/decryption activity then pops up a model dialog box, similar to that shown in the link I gave you.

And yes, it will give you that dialog when it expands some of the files during a ClamXAV update, but should only need to be allowed once.

You're welcome to use the Forum for any support problems you have, except that I don't recommend posting diagnostic results here as they probably contain some sensitive data. That's best handled by a help desk ticket. I'll try to answer any questions I am able to. I still have read access to the help desk ticket system, so I can usually dig out an answer if it's something others have experienced.

Today's been a real fire drill with mostly registration issues, some clarification questions, a period of time when downloads were disabled, updates to 3.0.1 and then 3.0.1, some relatively normal questions and a few who don't seem to want to support any subscription based software. Also was bad news for 10.6.8 through 10.9.x users.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5482
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby Jim babcock » Thu 16 Aug 2018 5:25 am

Al: Thanks . I have a real fear of being clobbered by a ransom hit. Two of my older friends were attacked....one paid $500 for the decrypt key b/c of no backup.

I now understand what Ransomwhere does. When I got the alert I allowed the process to continue...so I shouldn’t see the Dialog again after any Clam sig...update. I hope that at any alert I will recognize the error potential and act accordingly. The process is worthwhile keeping, I feel.

And I understand re: Ver 3+ support. I had no trouble installing; nor do I object to subscriptions. I changed 1Password to subscription which eased the update regimen due to support of iOS devices, etc. Subscriptions are here to stay.

So long for now....thanx for sharing your knowledge.

Jim B
V3.0.1(7220)/0.100.1_102 274.358
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 330
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Previous

Return to ClamXav

Who is online

Users browsing this forum: No registered users