Virus found

[STXRich]

I just managed to get ClamAV up and running and when I did a test with clamdscan on the data directory for Scalix (/var/opt/scalix/data) it found 2 viruses.
I believe that during the time we were getting ClamAV to run correctly these viruses made it in. files infected are as follows:

/var/opt/scalix/data/0000020/0000jvi: Worm.Bagle.BB-gen FOUND
/var/opt/scalix/data/000001p/0000lvs: Worm.SomeFool.P FOUND

I assume that these are attachment files or actual e-mails for the users and are thus safe to delet but I wanted to be sure befor doing so. I look to see if Clam would allow me to heal the files but I did not find an option.

Please let me know if a simple removal of the file will work or if I need to get another AV tool to see if I can reapair them.

Thanks!

[ScalixSupport]

I just managed to get ClamAV up and running and when I did a test with clamdscan on the data directory for Scalix (/var/opt/scalix/data) it found 2 viruses.
I believe that during the time we were getting ClamAV to run correctly these viruses made it in. files infected are as follows:

/var/opt/scalix/data/0000020/0000jvi: Worm.Bagle.BB-gen FOUND
/var/opt/scalix/data/000001p/0000lvs: Worm.SomeFool.P FOUND

I assume that these are attachment files or actual e-mails for the users and are thus safe to delet but I wanted to be sure befor doing so. I look to see if Clam would allow me to heal the files but I did not find an option.

Please let me know if a simple removal of the file will work or if I need to get another AV tool to see if I can reapair them.

Thanks!

Hi,

unfortunately there is no easy yes/no answer for this one. If those files happen to be serialized files containing other parts of messages, then more than just the virus will be zapped. You can use omxed to have a look at the file and its content. Once you are sure they contain the virus message only, you can move them to the /tmp directory should things to fall apart afterwards move them back into the directories.

Most likely you will be ok after moving them.

Cheers,

Sascha.

[STXRich]

I ran the omxed on it, and it appears to be mostly gobly-gook. Perhaps a MIME encoding.

Is there any other method of determining where this file might be residing?

For instance, do the data directories or data filenames map to anything helpful? For example the user directories are the Base32 version of their internal id number.


Thanks
-Rich-

[florian]

It is a bit more problematic with files that are located in the data directory as they might be linked in to more than one user's mailbox as is the case for multi-recipient messages.

The only way to reliably find out what the structure is is to look at a full index of the files in the message store.

This can be created using the omscan -A -l command and then applying the resulting "structure log" to an "Item Structure Database" or ISDB; the command to use is omupdtis. Then omdumpis can be used to look at the ISDB.

You can find more information on the subject in an Knowledgebase article called ISDB, ISS and SUR (Item Structure Database, Item Structure Server and Single User Restore)

Maybe, as an alternative, you can get the subject out of the MIME you're seeing and then try to find and eventually delete the message using the omtidyallu command.

Thx,
F.