Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Dear friends:

Is there an Antivirus that can search *on demand* for malware in the
Outlook database?

Please note that I don't mean a real time check (any Antivirus does
it), but an on demand check of all the Outlook Email database,
including its attachments.

My OS is Windows XP SP3


Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

On Wed, 11 Feb 2009 11:21:20 -0300, Juan I. Cahis

Quoted text here. Click to load it


Most any of them will do an on-demand scan of whatever directories you
choose.

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Dear Bill & friends


Quoted text here. Click to load it

Yes, but they will not scan, on demand, inside Outlook's PST files.


Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

On 02/11/2009 11:44 AM, Juan I. Cahis sent:
Quoted text here. Click to load it

Hello Juan:

It /seems/ as if BitDefenderŪ and avast! will identify some infected PST
files.  However, it appears as if the infected file(s) is/are only
identified and might need to be dealt with manually.

Of course more antimalware scanners might identify infected PST files.
If you can find an ISP that will allow it, maybe this can be tested with
the benign EICAR test file in the message body and as an attachment.

HTH

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?


| Hello Juan:

| It /seems/ as if BitDefenderŪ and avast! will identify some infected PST
| files.  However, it appears as if the infected file(s) is/are only
| identified and might need to be dealt with manually.

| Of course more antimalware scanners might identify infected PST files.
| If you can find an ISP that will allow it, maybe this can be tested with
| the benign EICAR test file in the message body and as an attachment.

| HTH

| Pete
| --
| 1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

PST files, aka; personal folders, do NOT get infected.
They are compressed databases of email messages and any anti virus solution must
install a
a MAPI compliant anti virus solution to scan within a PST from withing the MS
Office
Outlook application.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Dear David & friends:


Quoted text here. Click to load it

I agree with you, except when that you suspect that your MAPI real
time antivirus utility was unable to detect some infected inbound
email.

And this is my situation.

Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Juan wrote:

Quoted text here. Click to load it

Considering that the e-mail is converted to records in a format that is
proprietary to Microsoft's database file (.pst), and considering that
the pest cannot do anything unless it gets extracted from that message
store to put into its own file on the hard disk (and still can't do
anything until loaded into memory), an infected e-mail inside the .pst
file is harmless.  It cannot run from there.  Eventually YOU will have
to deliberately choose to extract the attached file to saved into its
own file.  It will be then that the on-access (real-time) scanner in
your anti-virus software or other security software that you use will
detect the pest (i.e., when a file gets created for it).

That is why e-mail scanning is superfluous.  It adds *no* additional
coverage for pest detection.  When the e-mail scanner interrogates the
e-mail traffic or when you save the attachment, the same engine,
signatures, and heuristics are employed to detect the pest.  E-mail
scanning or changes to the file is when the pest is detected.  Scanning
the e-mail traffic attempts to move *earlier* when you detect the pest
as long as it hasn't been convoluted into some encrypted format for the
attached file that secretes the pest. E-mail scanning does NOT improve
*coverage* for detection of the pest.  However, e-mail scanning almost
always incurs a delay in data transmission either through it as a
transparent proxy or by the AV program behaving like the mail server
and accepting the entire e-mail, scanning it, and then passing it on as
the client connecting to the real mail server.  This delay can and
often does cause timeouts.  A problem with an AV scanner that behaves
as the mail server to accept the entire message to scan it will show in
the real e-mail client as successfully sent when there still can be a
transmission problem between from the AV program that captured the
message to its sending of it to the real mail server (so you have to
check the logs of the AV program).  Often the suggestion is to disable
e-mail scanning (or uninstalling the AV program and doing a custom
install that omits the e-mail scan component) since it provides no
additional protection.

On-demand scans are mostly useless (based upon the expections of users)
on a host where the on-access scanner is always running.  Nothing runs
unless it gets loaded into memory.  The pest has to be loaded from a
file somewhere (extracted, decrypted, unzipped, wrote on-the-fly, or
whatever to create the file) at which time the on-access scanner nabs
the pest.  If the on-access scanner cannot discover the pest, neither
can the on-demand scanner.  The on-demand scan looks for dormant pests.
 There may be times when you may disable your anti-virus software, or
you boot into Safe Mode, or otherwise leave your system open to
infection.  The pest gets saved into a file.  When your anti-virus
program is running, it is only checking what gets loaded into memory
and files that are getting created or modified (some reduce overhead by
just checking the file when it is read or used to load an image into
memory).  A dormant pest sitting in a file that doesn't get read,
written, or created won't be discovered by the on-access scanner simply
because there has been no *access* to the infected file.  The manual
scan goes looking at the files themselves to see if they have been
infected.  So a dormant pest not doing anything is an ineffective
infestation and when it goes active gets detected by the on-access
scanner.  The on-demand scan is simply if you don't like to have
dormant pests laying around on your hard disk in yet-to-be-accessed
files.

The real protection is in the on-access scanner, not in the on-demand
scanner.  On-demand scanning is just a cleanup function of a
*potential* infection for a dormant pest sitting in a non-accessed
file.  I do have a scheduled event to run an daily on-demand scan
during the early morning when I'm not at the host.  However, I rely on
the on-access scanner to protect my host. There are times that I must
disable several or all of my security programs during testing or
diagnosis and it is during those times when possibly an infected file
could get on my hard disk.  When protection is reenabled, it's the
on-access scanner that will detect the presence of an active pest.
Unless the pest's file that got onto my host during a window of
opportunity gets read or executed, it remains dormant and exhibits no
ill effects.  The on-demand scan is just to cleanup any of those
dormant pests simply to reduce the chance that they may get executed
later - but then the on-access scanner will catch them at that time.

When on-demand scanning is truly important is when you suspect a host
is already infected.  You may not be able to install or run the
on-access protection but you might be able to run the on-demand scanner
from a USB thumb drive, CD drive, or floppy.  If you are considering
how to keep your host protected, it's the on-access scanner that is of
importance to you.  If you are considering troubleshooting already
infected hosts, like helping someone else disinfect their host, then
the on-demand scanner is more important.  Since this is your host and
you have already installed an anti-virus product whose on-access
scanner is always running, the on-demand scan doesn't offer any
additional protection.

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Dear friend, thank a lot for your long and clarifying message. But I
have a question: If you do an "on demand" check from an USB drive or a
CD drive, will the antivirus be able to locate and to check the host
(drive "C:") registry and to clean it, or will it check for suspicious
files only?


Quoted text here. Click to load it
Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Juan I. Cahis wrote:

Quoted text here. Click to load it

The pest will be in a file, not in the registry.  Any entries in the
registry will be pointing at the infected file, like a Run or WinLogon
Event registry key pointing at the infected file to load the pest from
there.  With the pest detected and its file eradicated, it is possible
that registry entries will continue pointing at the file but the file
doesn't exist anymore.  I have seen users report about an error message
on startup about a missing file because it was deleted during
disinfection, but then you find the registry entry and update or delete
it (SysInternals' AutoRuns is handy for finding all startup items).
Sometimes the error simply requires de-registering the missing file
("regsrv32.exe /u <file>"), like disinfection left behind an entry that,
for example, was a shell extension for Windows/Internet Explorer.

Since MalwareBytes Anti-Malware (MBAM) goes cleaning out entries in the
registry (and sometimes they are tweaks that you want but could also be
a behavior used by malware so you will have to reset after the
disinfection), I'm sure that other anti-virus/malware products also
touch the registry during disinfection.  Almost invariably, disinfection
leaves behind some remnant(s) of a pest, like an auxilliary but non-
substantive file or registry entry.  Different anti-malware products
have different levels of cleanliness regarding their disinfection.
While I have found some sites that can help guage the efficacy of
various anti-virus products, I don't know of one that measures how well
they compare against each other regarding how "clean" is the host after
each one disinfects a known pest.

Perhaps your question was a bit more basic, like "Can the registry files
be read other than for the currently loaded OS?"  Yes.  In fact, that's
the point of the Import albeit clumsy function in regedit.exe.  It is
possible to transport the .dat files over to another host or bring the
hard disk over to another host or load another instance of the OS in
another partition on the same or other hard disk in the same host and
have its regedit.exe read the registry for the non-running OS.  The are
other utilities besides regedit.exe that can read the registry.
Regedit, these other utilities, or any program that wants to read the
registry just uses system API calls to do so.  Likewise an anti-malware
product loaded under a different instance of the OS can still read the
registry files for the non-running OS.

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Dear Pete & friends:


Quoted text here. Click to load it

Yes, BitDefender worked like a charm and it has a free version that it
can do it. It took one hour to check inside my PST files storing
235000 emails collected from 12 years, and it found two of them
infected. I suspected that my normal real time MAPI antivirus was not
able to detect these virus when they arrived in an inbound email.

But it is very important to be aware that BitDefender's free version
is "on demand" only and it doesn't give you any "real time"
protection. So, it is very good in order to have a "second opinion" of
the health of your machine, or also to check your PST files off line.

I used this URL to get it::

http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html


Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

On 02/12/2009 06:37 AM, Juan I. Cahis sent:

Snip, snip...

Quoted text here. Click to load it

Hello Juan:

After BitDefender had located the two suspected files, were you able to
identify and independently confirm the results?  If so, by what name(s)
were these infections identified?

Warm regards,

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Dear Pete & friends, see the report at the bottom of this message.


Quoted text here. Click to load it


//-----------------------------------------------------------------
//
//    Product BitDefender Free Edition v10
//    Product 10.2
//
//    Created on:    11/02/2009    20:37:16
//
//-----------------------------------------------------------------


Virus Statistics

Scan path    : C:\Documents and Settings\PCU32NP2\Local
Settings\Application Data\Microsoft\Outlook
=46olders    : 1
=46iles    :  234914
Memory processes scanned    : 0
Archives    : 1501=20
Runtime packers    : 92180
Identified viruses    : 2
Infected files    : 2
Memory processes infected    : 0
Suspect files    : 2
Warnings    : 0
Disinfected files    : 0
Deleted files    : 0
Moved files    : 0
I/O errors    : 0
Scan time    : 00:52:35
Scan speed (files/sec)    : 74

Spyware Statistics

Registry keys scanned        : 0
Registry keys infected        : 0
Cookies scanned            : 0
Cookies infected        : 0
Spyware files infected            : 0
Spyware threats detected    : 0


Virus definitions    : 2640433
Scan plugins    : 17
Archive plugins    : 45
Unpack plugins    : 7
Mail plugins    : 6
System plugins    : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

=46ile mask
[ ] Programs
[X] All files
[ ] User defined extensions:=20
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\PCU32NP2\Application
Data\BitDefender\Desktop\Profiles\Logs\user_000134395435.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\Documents and Settings\PCU32NP2\Local Settings\Application
Data\Microsoft\Outlook\ARCHIVE.PST=3D>[Subject: ??una-al-dia
(19/08/2003) Alerta: gusano Sobig.F se propaga masivamente][From:
unaaldia-admin@hispasec.com]=3D>(body)=3D>(Compressed Rtf)    Infected:
Generic.Qhost.FE37E1FF

C:\Documents and Settings\PCU32NP2\Local Settings\Application
Data\Microsoft\Outlook\ARCHIVE.PST=3D>[Subject: ??una-al-dia
(19/08/2003) Alerta: gusano Sobig.F se propaga masivamente][From:
unaaldia-admin@hispasec.com]=3D>(body)=3D>(Compressed Rtf)    Disinfection
failed

C:\Documents and Settings\PCU32NP2\Local Settings\Application
Data\Microsoft\Outlook\ARCHIVE.PST=3D>[Subject: ??una-al-dia
(19/01/2004) "Bagle", nuevo gusano de propagaci?n masiva][From:
unaaldia-admin@hispasec.com]=3D>(body)=3D>(Compressed Rtf)    Infected:
Generic.Qhost.677D8E60

C:\Documents and Settings\PCU32NP2\Local Settings\Application
Data\Microsoft\Outlook\ARCHIVE.PST=3D>[Subject: ??una-al-dia
(19/01/2004) "Bagle", nuevo gusano de propagaci?n masiva][From:
unaaldia-admin@hispasec.com]=3D>(body)=3D>(Compressed Rtf)    Disinfection
failed

C:\Documents and Settings\PCU32NP2\Local Settings\Application
Data\Microsoft\Outlook\Eudora.pst=3D>[Subject: ??Eager to see you][From:
musicnews]=3D>(body)=3D>(Compressed Rtf)    Suspect:
Exploit.Iframe.Vulnerability

C:\Documents and Settings\PCU32NP2\Local Settings\Application
Data\Microsoft\Outlook\Eudora.pst=3D>[Subject: ??Re: nieuwe
computer][From: Hans]=3D>(body)=3D>(Compressed Rtf)    Suspect:
Exploit.Iframe.Vulnerability


Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Juan I. Cahis wrote:

Quoted text here. Click to load it

So while Bitdefender could detect a claimed pest in the specified e-mail
records, it could not disinfect them.  It FAILED the disinfection.
Restructuring the .pst file without using Outlook is probably not
something they support.  They just report the suspect e-mails and then
it is up to you to determine what to do with them.  Since it gave you
the Subject and From headers for the supposedly infected e-mails, you
can open the .pst file using Outlook, search on the Subject or From, and
then delete those e-mails.  

Deleting an item does not physically remove it from the .pst file but
merely changes its status to Deleted.  Outlook will not display
delete-marked items.  You must compact the message store to physically
purged the delete-marked items.  Looks like you have 4 e-mails to find
in Outlook to delete them and then compact its message store to actually
eradicate them.

Remember that any backups that you have saved of your .pst file are have
those infected e-mails.  If you ever restore those copies of the .pst
file, those infected e-mails may return (depends on when they showed up
in the .pst file versus which copy of the .pst file from backups that
you choose to restore).

I'm not sure that I'd care about the iframe vulnerability.  It doesn't
explain what is the vulnerability.  Could be simply telling you that the
content of the iframe gets retrieved from a different source than for
the rest of the body of the HTML-formatted e-mail.  If you have the
option enabled in Outlook to not display externally linked content then
you won't see that external content.  But, again, I'm not sure what they
mean by this vague "pest" category.  Could be they are talking about
something like http://www.secureworks.com/research/threats/iframeads /.
In that case, and because it is possible that you may render the
HTML-formatted e-mails using an unpatched or older version of Internet
Explorer then you probably do want to delete those e-mails followed by a
compaction.

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?


| Juan I. Cahis wrote:

Quoted text here. Click to load it




| So while Bitdefender could detect a claimed pest in the specified e-mail
| records, it could not disinfect them.  It FAILED the disinfection.
| Restructuring the .pst file without using Outlook is probably not
| something they support.  They just report the suspect e-mails and then
| it is up to you to determine what to do with them.  Since it gave you
| the Subject and From headers for the supposedly infected e-mails, you
| can open the .pst file using Outlook, search on the Subject or From, and
| then delete those e-mails.

| Deleting an item does not physically remove it from the .pst file but
| merely changes its status to Deleted.  Outlook will not display
| delete-marked items.  You must compact the message store to physically
| purged the delete-marked items.  Looks like you have 4 e-mails to find
| in Outlook to delete them and then compact its message store to actually
| eradicate them.

| Remember that any backups that you have saved of your .pst file are have
| those infected e-mails.  If you ever restore those copies of the .pst
| file, those infected e-mails may return (depends on when they showed up
| in the .pst file versus which copy of the .pst file from backups that
| you choose to restore).

| I'm not sure that I'd care about the iframe vulnerability.  It doesn't
| explain what is the vulnerability.  Could be simply telling you that the
| content of the iframe gets retrieved from a different source than for
| the rest of the body of the HTML-formatted e-mail.  If you have the
| option enabled in Outlook to not display externally linked content then
| you won't see that external content.  But, again, I'm not sure what they
| mean by this vague "pest" category.  Could be they are talking about
| something like http://www.secureworks.com/research/threats/iframeads /.
| In that case, and because it is possible that you may render the
| HTML-formatted e-mails using an unpatched or older version of Internet
| Explorer then you probably do want to delete those e-mails followed by a
| compaction.

Once the email is identified, either the email has to be deleted using the AV
software or
manually.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?


< snip >

| Summary:

| C:\Documents and Settings\PCU32NP2\Local Settings\Application
| Data\Microsoft\Outlook\ARCHIVE.PST=>[Subject: ??una-al-dia
| (19/08/2003) Alerta: gusano Sobig.F se propaga masivamente][From:
| unaaldia-admin@hispasec.com]=>(body)=>(Compressed Rtf) Infected:
| Generic.Qhost.FE37E1FF

| C:\Documents and Settings\PCU32NP2\Local Settings\Application
| Data\Microsoft\Outlook\ARCHIVE.PST=>[Subject: ??una-al-dia
| (19/08/2003) Alerta: gusano Sobig.F se propaga masivamente][From:
| unaaldia-admin@hispasec.com]=>(body)=>(Compressed Rtf) Disinfection
| failed

| C:\Documents and Settings\PCU32NP2\Local Settings\Application
| Data\Microsoft\Outlook\ARCHIVE.PST=>[Subject: ??una-al-dia
| (19/01/2004) "Bagle", nuevo gusano de propagaci?n masiva][From:
| unaaldia-admin@hispasec.com]=>(body)=>(Compressed Rtf) Infected:
| Generic.Qhost.677D8E60

| C:\Documents and Settings\PCU32NP2\Local Settings\Application
| Data\Microsoft\Outlook\ARCHIVE.PST=>[Subject: ??una-al-dia
| (19/01/2004) "Bagle", nuevo gusano de propagaci?n masiva][From:
| unaaldia-admin@hispasec.com]=>(body)=>(Compressed Rtf) Disinfection
| failed

| C:\Documents and Settings\PCU32NP2\Local Settings\Application
| Data\Microsoft\Outlook\Eudora.pst=>[Subject: ??Eager to see you][From:
| musicnews]=>(body)=>(Compressed Rtf) Suspect:
| Exploit.Iframe.Vulnerability

| C:\Documents and Settings\PCU32NP2\Local Settings\Application
| Data\Microsoft\Outlook\Eudora.pst=>[Subject: ??Re: nieuwe
| computer][From: Hans]=>(body)=>(Compressed Rtf) Suspect:
| Exploit.Iframe.Vulnerability


| Thanks
| Juan I. Cahis
| Santiago de Chile (South America)
| Note: Please forgive me for my bad English, I am trying to improve it!

Nothing major there.

Qhost is a trojan that usually just modifies the hosts file.
Exploit.Iframe. means that an email was received in HTML format using an IFrame
exploit.

The Sobig and Bagle are bad.  The are mass mailing email worms.  They are OLD
and should
never have been stored in a PST.

This shows you are NOT managing your PST files as well as you should.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Dear David & friends:


Quoted text here. Click to load it

I agree, but standard real time antivirus, even from well known
manufacturers, are not 100% reliable.

Quoted text here. Click to load it

I AM managing my PST files as well as I should. As I mentioned earlier
in another message in this thread, I suspected that my normal real
time antivirus, from a very well known manufacturer, was not detecting
always the malware in incoming emails. That was the reason because I
wanted a "second opinion", as I mentioned it earlier.

Why should you trust that your normal real time antivirus will be
reliable in 100% of the situations? Maybe if you ask for an exhaustive
"second opinion" in your PC, including inside the PST files, you will
be surprised too!!!!!


Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

Juan I. Cahis wrote:

Quoted text here. Click to load it

You could try the online test site that incorporates numerous scan
engines and have it analyzed by all the major AV producers.

http://virusscan.jotti.org /
http://www.virustotal.com /

--
"From each according to his abilities, to each according to his needs."
~ Karl Marx

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?


| Dear Bill & friends


Quoted text here. Click to load it




| Yes, but they will not scan, on demand, inside Outlook's PST files.


| Thanks
| Juan I. Cahis
| Santiago de Chile (South America)
| Note: Please forgive me for my bad English, I am trying to improve it!

You need a MAPI compliant enterprise anti virus solution such as from Symantec
and from
McAfee ( not to be confused with their retail versions).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?

David H. Lipman, 2/11/2009,5:10:18 PM, wrote:

Quoted text here. Click to load it

Can you explain this please?

Re: Is there an Antivirus that can search *on demand* for malware in the Outlook DB?



Quoted text here. Click to load it

| Can you explain this please?

There are two major email APIs.  One from Microsoft and one from Lotus/IBM.

MAPI - Email Messaging Application Programming Interface (Microsoft)
VIM - Vendor Independent Messaging (Lotus/IBM)

For a given anti virus application to scan items within MS Office Outlook the AV
application needs to MAPI compliant.

For a given anti virus application to scan items within Lotus Notes the AV
application
needs to VIM compliant.

Since they are enterprise email applicatiosn you'll find enterprise AV solutions
are
usually compliant with these APIs.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline