Micah wrote: >>> http://www.clamav.org/support/faq/ (the 8th item in Miscellaneous) says: >> The entire process takes less than a minute here on a file of around 4g in >> size. >> >> dp >> > > Okay, so I used mb2md to convert the mbox to 1692 files and then ran the > scanner. Check this out: > > ----------- SCAN SUMMARY ----------- > Known viruses: 157544 > Engine version: 0.91.2 > Scanned directories: 0 > Scanned files: 1692 > Infected files: 0 > Data scanned: 251.66 MB > Time: 216.879 sec (3 m 36 s) > > And here is the summery for just mbox: > > mbox: Email.FreeGame FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 157544 > Engine version: 0.91.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 242.46 MB > Time: 361.295 sec (6 m 1 s) > > Any ideas? > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html
That pattern is: daily.ndb: Email.FreeGame:4:*:75626a6563743a{-30}(67|47)616d65*687474703a2f2f(31|32|33|34|35|36|37|38|39) And translates to: "ubject:" followed by as many as 30 characters, then "game" or "Game" followed by any number of characters and "http://" and any of "123456789" So grep the subject lines in those 1600 files and see if this might be found: pcregrep "ubject:.{0,30}[gG]ame*http://[1-9]" * It may not be, or the subject line may be hex encoded and contain the text but not in readable form. Or it may be a false positive that is a consequence of your mail file. Or there may be a processing difference between mbox and maildir scans. Perhaps some can clarify. To be honest this is a pretty weak pattern to create a yea or nea decision with. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html