Micah wrote:
>>> http://www.clamav.org/support/faq/ (the 8th item in Miscellaneous) says:
>> The entire process takes less than a minute here on a file of around 4g in
>> size.
>>
>> dp
>>
>
> Okay, so I used mb2md to convert the mbox to 1692 files and then ran the
> scanner. Check this out:
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 157544
> Engine version: 0.91.2
> Scanned directories: 0
> Scanned files: 1692
> Infected files: 0
> Data scanned: 251.66 MB
> Time: 216.879 sec (3 m 36 s)
>
> And here is the summery for just mbox:
>
> mbox: Email.FreeGame FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 157544
> Engine version: 0.91.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 242.46 MB
> Time: 361.295 sec (6 m 1 s)
>
> Any ideas?
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://lurker.clamav.net/list/clamav-users.html
That pattern is:
daily.ndb:
Email.FreeGame:4:*:75626a6563743a{-30}(67|47)616d65*687474703a2f2f(31|32|33|34|35|36|37|38|39)
And translates to:
"ubject:" followed by as many as 30 characters, then "game" or "Game" followed
by any
number of characters and "http://"; and any of "123456789"
So grep the subject lines in those 1600 files and see if this might be found:
pcregrep "ubject:.{0,30}[gG]ame*http://[1-9]"; *
It may not be, or the subject line may be hex encoded and contain the text but
not in
readable form. Or it may be a false positive that is a consequence of your mail
file.
Or there may be a processing difference between mbox and maildir scans. Perhaps
some
can clarify.
To be honest this is a pretty weak pattern to create a yea or nea decision with.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
