Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 2544 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to find the email a threat is coming from?

wirth

An friend of mine has been getting a couple of threat notifications from Sophos Anti-Virus with the text "Virus/Spyware Troj-Redir-T has been detected and listed in Quarantine Manager". Obviously somebody is sending her this virus again and again. The threat seems to be in an attachment by the name FullDetails.html but she has no idea with which emails these attachments are being sent to her. She has no emails with such an attachment - possibly because Anti-Virus removed the attachment from such emails.

Is there a possibility to find out the exact email that contains the threat?

If not - why not? Are there possibly other products (whether from Sophos or a different company) that would be more specific about the origin of such a threat?

Thanks for your help.

:1010968


This thread was automatically locked due to age.
  • 0

    I guess the fact that my original question is not getting answered means that Sophos Anti-Virus can not identify an email that had an attachment with a virus after the attachment has been (automatically) detached from that email. That's a pity and it seriously minimizes the usability of this product.

    It still would be good to know if there is any other anti-virus product that can do this. Does anybody here know of such a product?

    :1010972
  • 0

    Hello desertman,

    SAV Mac HE's basic strategy is to scan files - it neither intercepts data transfers not does it hook or track applications. While it inspects containers (like archives) it does not attempt to decode all of them (which would be unfeasible anyway) but relies on the application to do so. This might seem a shortcoming but it isn't. An "attachment" is just a bunch of bytes with no particular meaning and impact unless properly unpacked, decoded and instantiated as a specific object. Furthermore - considering email in particular - a mail client needn't use a "known" format for storing the messages, thus scanning them might be moot anyway.

    Once the client "detaches" an attachment it is of course subject to scanning. But then it contains no information about its origins - so you can't trace it back. There is no meta-data saying Extracted from ... by ....  If a client automatically extracts possible attachments only it knows where it has taken them from. The client has to keep a stub in order to be able to present you the attachment - thus if an AV scanner removed an offending file it's the mail client which would have to tell you message xyz had an attachment, I've stored it away but can't find it anymore. Anyway - Sophos does not modify the original mail.

    As for "identifying" the email - what might it help? Rarely you can trace it back to a single compromised account or a certain person - although I won't rule it out. But then, if you can make use of the the information in the email's headers you normally don't have to ask how to identify in the first place. No insult meant though.

    Christian

    :1010976
  • 0

    Hello Christian,

    Thanks for your reply. Sophos Anti-Virus reported a threat within a file FullDetails.html, said the file is in the "Quarantine Manager" and pointed to a location very deep within the Mail folder within the user's Library folder. However, there is no email with such an attachment. There is even no email at all with any attachment on the day in question. That's why I am asking how to find the email that this threat was coming with originally, and I assumed - obviously incorrectly - that Sophos Anti-Virus had moved the file from the email to some "safe" place.

    You write: "As for "identifying" the email - what might it help?" A lot. I could write the person who has sent me this email and let the person know that his or her computer seems to be infected or hijacked by some malware and is sending out viruses to other people.

    So the question now is more: Why is there no email with an attachment FullDetails.html if Sophos Anti-Virus reports such a threat?

    Greetings - desertman

    :1011058
  • 0

    Hello desertman,

    I could write the person who has sent me this email

    that's what I assumed you want to do. You apparently have more than some knowledge, nevertheless it is often (almost) impossible to identify the originating computer or account. Nowadays in most  cases the relevant information is either suppressed or cleverly hidden (the malware writers are no idiots in that respect) and the apparent (and pretended) sender is an innocent victim. 

    Why is there no email with an attachment

    Is the mail client Mail? Just a guess - it might be contained in an older mail, get temporarily extracted, blocked and subsequently (automatically) deleted from the temporary location.

    Christian 

    :1011072