How to find which mailbox is infected

Novice

How to find which mailbox is infected

F-Secure has found a virus in the outlook.pst file. It only says 'a mailbox is infected'. As I already have several mailboxes, how to find out which one is infected. The F-Secure suggestion of splitting email messages in different mailboxes only makes sense if it tells you which one is infected.

Any idea how to get that information?

1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure

Re: How to find which mailbox is infected

Hi Raaf,

 

Splitting the email messages is the correct way to do. But firstly I'd recommend to empty the Junk E-mail and Deleted Items inbox. Then scan again.

 

In case you need steps how to actually remove the infection in .pst file:

1) Create a couple of temporary mail folders.
2) Then, move half of the infected mailbox to a new mailbox, compact the folders and rescan them.
3) After this, the infection should be in either one of the mailboxes.
4) Move again half of the mails from this infected box to a new one, compact the folders & rescan. Repeat this as long as needed.

In this way it is relatively fast to find out where the infection is even if the original mailbox file had thousands of messages. This also applies to mailbox files that have an unknown format where the F-Secure only detects an infection in the file but cannot pinpoint the exact message.

 

---
Best regards,
Fendy

 

Has somebody helped you? Say thanks by giving kudos. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.

 

10 REPLIES 10
Superuser

Re: How to find which mailbox is infected

I don't use Outlook, so this is just a guess, but would each mailbox be stored in separate folders somewhere on your computer?  In that case, you may be able to select each one individually and do a right click scan for viruses on it.

Former F-Secure Employee

Re: How to find which mailbox is infected

Hi raaf,

With regards to your problem, I would suggest you to open your mailbox and delete any suspected emails that you have and then also clean the spam mailbox. Once you have done that kindly try to scan again. If still there is a detection do update us.

Thanks.

Best Regards,
Jagadesan

Has somebody helped you? Say thanks by giving kudos. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
Advocate

Re: How to find which mailbox is infected

Sorry for a late response,

I've had this happening to me and here's what I did:

 

Copied my .pst file

 

  1. Open the .pst copy
  2. Deleted the first of my folders(mailboxes)
  3. Compacted the .pst
  4. Rescanned the .pst (with manual scan setting: All file types + Archives + Advanced Heuristics)

 

If virus still was found, you just repeat these 4 steps.

NOTE! If you are infected in multiple folders you have to keep track of every scan and note how many viruses were found.

For example: you have 5 infections. You delete the first folder, compact and rescan and it now shows 4 infections. Then you had of course 1 infection in that deleted folder.

Advocate

Re: How to find which mailbox is infected

Hi again,

 

I just realised I may have misunderstood you:

I also hade several .pst files, if that is what you mean by "mailboxes"? But in the window that shows the infections after a scan, on of the columns(in dark blue text I think) showed the name of the .pst file. Possible it's not visible until you make each column wider, so you really know you can see all text in every column.

Or maybe I clicked a link somewhere. I'm 100% it told me the .pst file somehow.

 

If NOT, then you just scan every .pst file one at a time.

F-Secure

Re: How to find which mailbox is infected

Hi Raaf,

 

Splitting the email messages is the correct way to do. But firstly I'd recommend to empty the Junk E-mail and Deleted Items inbox. Then scan again.

 

In case you need steps how to actually remove the infection in .pst file:

1) Create a couple of temporary mail folders.
2) Then, move half of the infected mailbox to a new mailbox, compact the folders and rescan them.
3) After this, the infection should be in either one of the mailboxes.
4) Move again half of the mails from this infected box to a new one, compact the folders & rescan. Repeat this as long as needed.

In this way it is relatively fast to find out where the infection is even if the original mailbox file had thousands of messages. This also applies to mailbox files that have an unknown format where the F-Secure only detects an infection in the file but cannot pinpoint the exact message.

 

---
Best regards,
Fendy

 

Has somebody helped you? Say thanks by giving kudos. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.

 

Advocate

VBA code that extracts attachments from Outlook

If anyone finds this thread you should know that there is a VBA program(code) that can extract and save all attachments from an Outlook folder including subfolders, so you then easily can scan the folder with all attachments to find which emails are infected. Each file name includes the name of the datafile(PST), folder name, email subject and attachment name so it's easy to identify and delete those emails in Outlook.

It only extracts the attachments because it's highly unlikely that an email body is infected. And that also heavily reduces the number of files that needs to be created on the hard drive. It's been tested and proved successful with over 2 GB of emails. 

 

Instructions and the VBA code can be found here:

http://community.f-secure.com/t5/Security/virus-s-imside-Aquarius/m-p/40627/highlight/true#M7398

 

In case you run into any problem, also read the following 2 pages in the linked thread above. Those cover the most likely problem scenarios.

Scholar

Re: How to find which mailbox is infected

This is ridiculous. What's needed is a programme that finds and deletes the infected message/s in Outlook or whatever other e-mail client is used. In my case my computer guru came 'round after 4 days and used software he'd written himself to find and delete the infected messages. F-Secure could integrate such software in their Internet Security suite - they simply don't want to. Nor do any of the other anti-virus software companies. Why? Their justifications are just excuses.´In the meantime we have to go this farcically laborious route or delete outlook.pst altogether and start again after losing all the mesaages in this file. I'm amazed no software company has yet come up with a programme that deals with this problem virtually automatically, like the one my guru wrote himself.

Superuser

Re: How to find which mailbox is infected

I'm a little confused as to why the infected messages aren't detected and dealt with on arrival.
Scholar

Re: How to find which mailbox is infected

Becasuse no anti-virus software can keep up with malware developments - by the time the latest malware has been detected and prevention added to the anti-virus software the malware has slipped through in a lot of cases.