"$d_bin""virus - clamscan notes.txt" www.BillHowell.ca 24Dec2020 initial To download a virus sample : FireFox menu -> Preferences -> Privacy & Security -> Security : x Deceptive Content and Dangerous Software Protection x Block dangerous and deceptive content (Learn more) x Block dangerous downloads x Warn you about unwanted and uncommon software >> temporarily uncheck "Block dangerous downloads" & see what happens >> OK - works! DANGEROUS!!! Don't forget to reset FireFox "Block dangerous downloads" when done!!!! +-----+ Quick notes : 29Mar2021 WEIRD! Even if clamsacan finds viruses in a folder, when the folder is split into text files for each email, no viruses show up!!??!!???! 29Mar2021 folders with "Heuristics.Phishing.Email.SpoofedDomain FOUND" - these are probably OK +-----+ ToDos : 24Dec2020 download more virus samples 24Dec2020 splt email folders to find email with virus +-----+ key infected : "/media/bill/Virus_samples" /media/bill/Virus_samples/Ikarus viruses/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND /media/bill/Virus_samples/Ikarus viruses/eicar.com: Win.Test.EICAR_HDB-1 FOUND /media/bill/Virus_samples/infected/210328/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND /media/bill/Virus_samples/infected/210328/Trash: Win.Trojan.Generickd-395 FOUND 48************************************************48 08********08 28Mar2021 script to cut Thunderbird email folders and find text portion with virus mkdir /media/bill/Virus_samples/infected/210328 >> copied infected email folders here Use QNial!!! I did complex things with IJCNN mass emails "$d_Qndfs""virus - find email with virus.ndf" 29Mar2021 folders with "Heuristics.Phishing.Email.SpoofedDomain FOUND" these are probably OK folder_split_emails (link d_Thunderbird 'Climate.sbd/People.sbd/Dobler, Sacha') (link d_temp 'emails/') >> this folder showes two email in Thunderbird, but only one extracted! folder_split_emails probably drops last email? YES! I fixed it This looks like an unknown redirection, but it probably legitimate and no threat. folder_split_emails (link d_Thunderbird 'Charity.sbd/John O'Sullivan - PSI') (link d_temp 'emails/') these should be addressed : +-----+ /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND folder_split_emails (link d_Thunderbird 'Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive') (link d_temp 'emails/') $ clamscan -ri --bell '/home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive' /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8516193 Engine version: 0.102.4 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.80 MB Data read: 8.48 MB (ratio 0.09:1) Time: 18.822 sec (0 m 18 s) qnial> folder_split_emails (link d_Thunderbird 'Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive') (link d_temp 'emails/') >> None found!???!!!??? +-----+ /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Generickd-395 FOUND folder_split_emails (link d_Thunderbird '/home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash') (link d_temp 'emails/') $ clamscan -ri --bell '/media/bill/ramdisk/emails/' ----------- SCAN SUMMARY ----------- Known viruses: 8516193 Engine version: 0.102.4 Scanned directories: 1 Scanned files: 329 Infected files: 0 Data scanned: 21.19 MB Data read: 7.78 MB (ratio 2.72:1) Time: 24.989 sec (0 m 24 s) /media/bill/ramdisk/emails $ clamscan -ri --bell '/home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash' /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Generickd-395 FOUND qnial> move_contaminated_emails "$d_temp"'emails/' '"/media/bill/Virus_samples/infected/"' ----------- SCAN SUMMARY ----------- Known viruses: 8516193 Engine version: 0.102.4 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.15 MB Data read: 4.66 MB (ratio 0.03:1) Time: 17.234 sec (0 m 17 s) >> interesting - the virus doesn't show up when the emails are split off into separate text files Onll direct analysis show it >>copy folder to VIRUS, then delete 08********08 28Mar2021 clamscan stuck in d_PROJECTS +-----+ scan... 28March2021 10h36m, /media/bill/Dell2/PROJECTS/ clamscan >>"/media/bill/Dell2/Website - raw/bin/virus - clamscan log.txt" -ri --bell "/media/bill/Dell2/PROJECTS/" LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytecode 51 failed to run: CL_ETIMEOUT: Time limit reached LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytecode 73 failed to run: CL_ETIMEOUT: Time limit reached LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytecode 73 failed to run: CL_ETIMEOUT: Time limit reached >> as of 15:58 still stck there!!! (almost 5.5 hours!) >> HAH! just as I wrote this 15:59, it went to d_webRaw search for reasons later... OK done +-----+ types # 2 Eicar-Test-Signature FOUND 1 /media/bill/Virus_samples/Ikarus viruses/eicar_com.zip 1 /media/bill/Virus_samples/Ikarus viruses/eicar.com 4 Heuristics.Phishing.Email.SpoofedDomain FOUND 7 /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Climate.sbd/People.sbd/Dobler, Sacha 64 /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Charity.sbd/John O'Sullivan - PSI 1 Email.Phishing.VOF1-6314019-0 FOUND 1 /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd 1 Win.Trojan.Generickd-395 FOUND 1 /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash Uh Oh! doesn't have any emails showing in my Thunderbird Charity.sbd folder - only in 7_Newsgroups slow? : /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Charity.sbd/John O'Sullivan - PSI >> I might have moved them all? >> Or did clamscan quarantine the whole folder? >> check other infected folders : 2/2 still there : /media/bill/Virus_samples/Ikarus viruses/ 72.2 kB Climate.sbd/People.sbd/Dobler, Sacha 943.5 kB Purchases.sbd/Books.sbd/Amazon.sbd 4.9 kB mail.billhowell.ca/Trash So other folders are still there. Why not "Charity.sbd/John O'Sullivan - PSI"? OOPS! I screwed up, I was looking at "PSI International", not "John O'Sullivan - PSI" eliminated redundancy 08********08 24Jan2021 Computer virus scans All viruses are in /home/bill/, mostly 67 viruses in PSI International emails, but also Amazon & virus inventory ToDo for later - recover & inventory viruses 24January2021 19h36m, /home/bill clamscan >>"/media/bill/Dell2/PROJECTS/bin/virus - clamscan log.txt" -ri --bell "/home/bill" /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/System_maintenance.sbd/a_Phishing scams: Win.Malware.Upatre-11421 FOUND /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Charity.sbd/John O'Sullivan - PSI: Heuristics.Phishing.Email.SpoofedDomain FOUND ... /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Generickd-395 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8725473 Engine version: 0.102.4 Scanned directories: 8582 Scanned files: 105888 Infected files: 4 Data scanned: 15073.12 MB Data read: 14518.76 MB (ratio 1.04:1) Time: 6187.248 sec (103 m 7 s) +-----+ 24January2021 21h21m, end of virus - clamscan.sh 08********08 24Dec2020 download virus examples >> I can't download? -clamscan virus protection maybe? How do I turn off clamav for a short while? man clamav - nyet man clamscan search "Linux clamscan and how do I turn it off?" "Linux clamscan and how do I disable it?" >> Hmmm, can't find that option FireFox menu -> Preferences -> Privacy & Security -> Security : x Deceptive Content and Dangerous Software Protection x Block dangerous and deceptive content (Learn more) x Block dangerous downloads x Warn you about unwanted and uncommon software >> temporarily uncheck "Block dangerous downloads" & see what happens >> OK - works! DANGEROUS!!! Don't forget to reset FireFox "Block dangerous downloads" when done!!!! +-----+ /media/bill/HOWELL_BASE/virus examples/Ikarus viruses/eicar_com.zip The EICAR test virus is not a real virus. It is a DOS program created by the European Institute for Computer Antivirus Research, which only displays the message “EICAR-STANDARD-ANTIVIRUS-TEST-FILE” on the screen and then terminates itself. The aim of test viruses is to test the functions of an anti-malware program or to see how the program behaves when a virus is detected. Download the desired test file to your PC. If your network security does not already prevent the download of the file, the local antivirus program should start working when trying to save or execute the file. Since the Eicar test virus is the only standardized way to monitor antivirus programs “live” at work without endangering yourself, it is likely that all programs will recognize the file. However, it says nothing about the detection or other protection capabilities of the software. If the file is not detected by your virus scanner, it is advisable to investigate the reason for this, for example to detect possible malfunctions. https://www.ikarussecurity.com/wp-content/downloads/eicar_com.zip +----+ https://zeltser.com/malware-sample-sources/ Malware researchers frequently seek malware samples to analyze threat techniques and develop defenses. In addition to downloading samples from known malicious URLs, researchers can obtain malware samples from the following free sources: ANY.RUN: Registration required Contagio Malware Dump: Curated, password required CAPE Sandbox Das Malwerk Hatching Triage: Registration required Hybrid Analysis: Registration required InQuest Malware Samples on GitHub KernelMode.info: Registration required MalShare: Registration required MalwareBazaar MalwareSamples Malware-Feed: Curated Malware DB Objective-See Collection: Mac malware PacketTotal: Malware inside downloadable PCAP files PhishingKitTracker: Phishing sites source code PolySwarm: Registration required SNDBOX: Registration required SoReL-20M: 10M defanged malware samples (see notes) theZoo aka Malware DB URLhaus: Links to live sites hosting malware VirusBay: Registration required VirusShare: Registration required VirusSign: Registration required Virus and Malware Samples: Includes APT, registration required vx-underground Yomi: Registration required +-----+ focus for now on any.run >> download to : /media/bill/Virus_samples/any.run/ I got kicked out after repeat warnings of large number of downloads (5 per short time frame) 08********08 23Dec2020 Timeout error : https://security.stackexchange.com/questions/220909/clamav-bytecode-run-timed-out Searching for these messages quickly leads to posts like this. Basically: you are scanning huge data and it runs in a timeout while scanning since there was a timeout configured. If you want to extend the timeout you can do on the command line as documented. – Steffen Ullrich Nov 9 '19 at 6:21 https://unix.stackexchange.com/questions/193059/warnings-errors-when-running-clamav-clamscan-scanning-3tb-hard-drive Here is the new command: clamscan -r -i --remove --max-filesize=4000M --max-scansize=4000M --bytecode-timeout=190000 /DATA1 Note: I also upgraded the servers memory to 8GB, I'm not sure if clamscan loads the file to memory when it's being scanned but one post said that much and if so that is another consideration. share improve this answer follow edited Apr 15 '15 at 0:58 answered Apr 9 '15 at 12:03 somethingSomething >> WRONG! What happed to old viruses? OK /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/a_Phishing scams: Win.Malware.Upatre-11421 FOUND ? /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/System_maintenance.sbd/a_Phishing scams: Win.Malware.Upatre-11421 FOUND T /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Agent-1428649 FOUND OK /media/bill/HOWELL_BASE/System_maintenance/viruses quarantined/.tar: Unix.Malware.Agent-1415284 FOUND F /media/bill/PROJECTS/System_maintenance/security/viruses quarantined/.tar: Unix.Malware.Agent-1415284 FOUND >> I had moved the directory, so the discrepancy is OK T /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Agent-1428649 FOUND T= trash, which would have been deleted F= found ?= not really found! or I moved? This leaves unaccounted : /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Inbox: Win.Malware.Generic-9777076-0 FOUND /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Amazon.sbd/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/Local Folders/00_Newsgroups slow.sbd/Principia Scientific.sbd/z_Old: Heuristics.Phishing.Email.SpoofedDomain FOUND /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/Local Folders/Charity.sbd/John O'Sullivan - PSI: Heuristics.Phishing.Email.SpoofedDomain FOUND /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/Local Folders/Investments.sbd/MBNA: Heuristics.Phishing.Email.SpoofedDomain FOUND /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/Local Folders/z_Old/Inbox: Win.Trojan.Agent-1136914 FOUND This directory was removed : /media/bill/SWAPPER/Website - raw/Software programming & code/System_maintenance/security/viruses quarantined/.tar: Unix.Malware.Agent-1415284 FOUND I need a script to save all emails in an infected Thunderbird folder as separate files. Probably have optrs in my ijcnn mass email coding. 08********08 # /home/bill/System_maintenance/clamscan_infected/clamscan_contaminated_script # www.BillHowell.ca created 20Oct2013 # work on contaminated file - especially to split up Thunderbird folders to isolate bad email/files # 1. start with on infected file at a time (should be in $dir_base) # 2. copy file to $dir_safe (looks weird - but clamscan moves contaminated files, NOT safe ones!) # 3. IF contaminated file is text (eg EMAIL!), using text editor - split file into MANY parts, # saving each part in $dir_safe # 4. run from terminal as superuser (sudo -i) : # # bash /home/bill/System_maintenance/clamscan_infected/clamscan_contaminated_script # 5. once [phish, virus, trojan horse, worm, etc] found, move contaminated part (or whole file) to IOMEGA_HDD/Viruses etc - Clamscan # 6. reconstruct original text or email folder if that was the file type (minus infected part, of course # Note that Thunderbird and AE extraction plugin DON'T actually delete emails or attachments! - so it's hard to get rid of junk! # freshclam downloads database to default directory # It's very tricky to delete a folder!! # A. From within Thunderbird : # 1. Check only ONE T-Bird email folder at a time! # 2. Create a sub-folder /Local Folders/a_Clamscan/ # 3. Take note of the number of emails in # 4. MOVE (not copy!) all good emails from [files_safe, files_toTest_1 or 2] to /Local Folders/a_Clamscan/ # 5. MOVE (not copy!) all bad emails from [ files_toTest_1 or 2] to /Local Folders/a_Clamscan/files_infected # 6. MOVE any subfolders from original to the newly created # /Local Folders/a_Clamscan/ # 7. CHECK that the number of emails in... " original = good + contaminated ..." # 8. DELETE # 9. Close down Thunderbird!! # B. From within Dolphin fileManager /home/bill/.thunderbird/n4caryuo.default/Mail/Local Folders/ ... / # 1. Check that [.msf file, mail files, subdirectories] associated with have been deleted # (actually, this appears to be the case normally, but for now a check is warranted until I have more experience) # C. Back to Thunderbird - # 1. Start Thunderbird up again # 2. Move /Local Folders/a_Clamscan/ to its appropriate place in the TBird folders # 3. Close Thunderbrd, then start up again to allow files to be updated # D. Dolphin fileManager # 1. Double check .msf & mail files in Dolphin dir_base="/home/bill/System_maintenance/clamscan_infected/" dir_safe=$dir_base"files_safe/" dir_test=$dir_base"files_to_test/" file_script=$dir_base"clamscan_contaminated_script" file_log=$dir_base"clamscan_contaminated_log.txt" echo "" echo "" echo "**********************************************************" echo $file_script " -> starting virus location routine, Date = " `date` echo >>$file_log "" echo >>$file_log "" echo >>$file_log "*******************************************************" echo >>$file_log $file_script " -> starting virus location, Date = " `date` echo >>$file_log "" echo "" echo "cd " $dir_safe echo >>$file_log "" echo >>$file_log "cd " $dir_safe cd $dir_safe # don't need freshclam update for this - as will usually follow full clamscan echo "" echo "didn't start freshclam... no need for cleanup" echo >>$file_log "" echo >>$file_log "didn't start freshclam... no need for cleanup" #freshclam >>$file_log # don't need recursion as only $dir_safe itself is checked echo "" echo "starting... clamscan >>$file_log -i --bell --move=$dir_test echo >>$file_log "" echo >>$file_log "starting... clamscan >>$file_log -i --bell --move=$dir_test clamscan >>$file_log -iv --bell --phishing-ss=yes --phishing-cloak=yes --move=$dir_test $dir_safe echo "" echo "**********************************************************" echo "" echo "" #enddoc