clamav-users August 2007 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: [Clamav-users] Phishing Scanning

[Clamav-users] Phishing Scanning

From: Roberto Ullfig <rullfig_at_nospam>
Date: Mon Aug 13 2007 - 16:24:14 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


Sven Strickroth wrote:
> Am 10.08.2007 19:00 schrieb Roberto Ullfig:
>
>> On 2007-08-10 12:42, Roberto Ullfig wrote:
>> Actually, what we see is that nearly all viruses of the form:
>>
>> Email.Phishing.RB-12...
>>
>> stopped being detected on Aug 9 15:31 on all 12 of our servers. On one server I see only one of
>> these being detected this morning. We usually get several a minute. So, what could be the cause
>> of the absence of this virus all of a sudden?
>>
>
> The bad guys changed the mail-layout and we had to create new signatures.
>
> And yes: We remove Email.Phishing.RB-* from time to time, when those
> become useless to keep a clean/small/fast database.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://lurker.clamav.net/list/clamav-users.html
>

What determines a clean/small/fast database? Are these removals logged anywhere? I now notice that all Phishing "viruses" are gone and we're now getting Email.Ecard viruses. Was there a renaming?

Thing is, the way we work is that we run clamav first - any leftovers go to our much more resource intensive spamassassin. Now if you remove a whole bunch of signatures from the database, then spamassassin all of a sudden gets a jump in processing and in some cases are servers are overwhelmed. So, allowing clamav to start ignoring e-mail it was previously blocking is not a nice thing to do. -- Roberto Ullfig - rullfig@uic.edu _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html