Instructions for identifying infected emails

Discussions relating to ClamXav

Moderator: Mark

Re: email virus in "recovered messages" folder

Postby alvarnell » Wed 28 Sep 2011 5:46 pm

CCPP wrote:How do I get Clam to look into my "recovered messages" folder on my iMac?
This is not related to the subject. Please start a new topic.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5478
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Don't add a space in the "ClamAV Search"

Postby Darren » Sun 16 Sep 2012 3:47 am

Adding a space after the Infection Name messes up the results.

In the following search results, notice the space immediately following "246"
Search results:
0 hits for 'HTML.Phishing.Bank-246 '


If you remove the space, it will return a hexadecimal code.
Darren
 
Posts: 1
Joined: Sun 16 Sep 2012 3:05 am

Re: Instructions for identifying infected emails

Postby anaheed » Fri 28 Feb 2014 11:17 pm

I realize this thread is now 2 years old. Are the instructions still valid? Because I entered the virus name that ClamXAV gave me in its scan into the database (carefully, with no spaces before or after) and got "0 results." Now what? Thanks for any help you might be able to offer, if anyone's still reading this thread.
anaheed
 
Posts: 2
Joined: Fri 28 Feb 2014 11:05 pm

Re: Instructions for identifying infected emails

Postby alvarnell » Fri 28 Feb 2014 11:32 pm

anaheed wrote:I entered the virus name that ClamXAV gave me in its scan into the database (carefully, with no spaces before or after) and got "0 results.
Please start a new topic using the infection name as the subject. Describe your situation (OS X and ClamXav version and whether you obtained the latter from the AppStore or web site). Do not under any circumstances attempt to move or delete the e-mail until we've determined what it is.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5478
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby MTMabowels » Sat 14 Feb 2015 7:55 pm

I am using ClamXav version 2.7.4.

I'm wondering if the advice in this thread about looking up the Hex to Ascii information and searching out the individual emails listed originally authored by 'Mark' and further instructions relating to automating Mail searches in Sentry and such are still relevant in February 2015?

I had a shock when I read this thread (that I came across whilst researching a problem I have with Apple's Mail v 6.6 and using ClamXav with my Time Machine backup volume). I usually run ClamXav on my internal HDD every now and then. In the past it has found several files such as mentioned in this thread.

The thing is, up to now I have just been selecting them when displayed in ClamXav and using the 'Delete file' option in the Menu bar. After that I have forgotten about them. Today I am running ClamXav on my Time Machine backup volume that is on an external HDD. I also have my iTunes Music files and some other ordinary, non Time Machine, files on this volume too. As I write this, so far ClamXav has found 18 such files including one called "ConduitNPAPPIPPlugin.plugin" on my External backup drive.

I am hoping that someone reading this is going to tell me that my hunch is correct and that selecting 'Delete File' in ClamXav now carries out all of the steps mentioned in this thread and therefore I have being doing the correct thing all along by simply using the 'Delete file' button' (or the 'Quarantine File' prior to deleting them).

Oh by the way, I'm using a Mid-2007 24" iMac running Mac OS 10.8.5.
24" iMac (Mid-2007) currently booting Mac OS 10.8.5 (Mountain Lion). Also a late 2009 iPod Touch running iOS 5 - the last one without a built in camera (and limited to no higher than iOS 5, I'm afraid)
MTMabowels
 
Posts: 1
Joined: Sat 14 Feb 2015 5:37 pm

Re: Instructions for identifying infected emails

Postby alvarnell » Sun 15 Feb 2015 8:40 am

MTMabowels wrote:I'm wondering if the advice in this thread about looking up the Hex to Ascii information and searching out the individual emails listed originally authored by 'Mark' and further instructions relating to automating Mail searches in Sentry and such are still relevant in February 2015?
Absolutely, if you are using an e-mail client that puts all messages into monolithic databases instead of filing each e-mail as a separate file. That includes Eudora, Microsoft Entourage and Outlook, Thunderbird and perhaps others. It has not applied to Apple Mail for a very long time now.

Please post the remainder of your questions to a separate topic since the answers would have no meaning here.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5478
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby alvarnell » Fri 11 Mar 2016 2:38 am

alvarnell wrote:It has not applied to Apple Mail for a very long time now.
Just to be clear about this, there is no longer a need to use the involved procedures originally outlined in this topic if you are using Apple Mail. For any e-mail client that stores messages as individual files, including Apple Mail, the following procedures apply:

This process is due to get easier soon, but in the meantime, getting rid of infected files from your email requires a bit of manual effort.

To find them, click each one in the Infection List in turn and select File menu -> Infection List -> Reveal in Finder (or you can hit command-R as a shortcut).

The file will then be selected in the Finder and you can hit the SPACE bar on your keyboard to open up a preview.

From the preview, you will be able to ascertain the date and time of the email, and you can use that to search for it in Apple's Mail program. Once you find the email in Mail - delete it directly from within Mail.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5478
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby Jim babcock » Thu 24 May 2018 9:31 pm

Hi Al Varnell: I'm Jim Babcock, a user since the dawn of ClamXav.. sometime in eLy 2000's...
no discussion...just wanted to say hello....and that I now live in SanDiego area (Encinitas) to be near my daughter and family.

I still keep up to date w/ Clam.....

BTW, if I installed Malwarebytes on my ver 10.10.5 iMac, what would be any possible interferences? It deals with Ransomware to some extent.

Just askin'

well, keep well....enjoyed all the times we have corresponded

Jim b
PS. ignore the signature lines...haven't updated lately!!
V2.18.1/0.100.0 (3610) ClamAV® + Sentry
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 326
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Re: Instructions for identifying infected emails

Postby alvarnell » Fri 25 May 2018 8:10 am

San Diego...Maybe we'll be in different states if that crazy idea to divide us into thirds passes.

Malwarebytes won't cause any issues unless you allow both it's Real-Time Protection and ClamXAV Sentry to be active. They end up fighting over who gets to scan new files first which usually ties up the CPU unnecessarily. As far as Ransomware is concerned, I don't believe it offers any advantage over ClamXAV and vice versa. The two developers have been friends for many years and still collaborate on new malware findings often. There have only been three known instances of Mac Ransomware to date and they are all fully covered by both packages. If you are worried about a zero day attack, take a look at Patrick Wardle's RansomWhere?. It does tend to show up as a top ten CPU user, but at less than 5% for me. It also alerts when unencryption takes place (which is all I've ever been notified of) so be aware of that. Developer is aware of the issue, but hasn't been able to solve it yet.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.5 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5478
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby Jim babcock » Fri 25 May 2018 4:49 pm

Hi Al: Thanx for info on Malwarebytes. I suspected what you told me so I'll leave it alone. However if a newly friend asks me about Mac virus, I point them to Clam.

For VPN, I signed up for PIA, Private Internet Access. use it for my iOS devices primarily. it works ok on my iMac. seems to be a good tech company from UK.

I use my iPad Pro for 99% of what I do now.... so that's why you haven't seen me online lately. But with no anti-virus available ...or even needed on iOS, ......I just don't use iMac much...

Again, great to hear from you..

Jim B
V2.18.1/0.100.0 (3610) ClamAV® + Sentry
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 326
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Previous

Return to ClamXav

Who is online

Users browsing this forum: No registered users