Rick Macdougall wrote: > Noel Jones wrote: >> Rick Macdougall wrote: >>> Hi, >>> >>> I have another example where clamdscan fails to find a virus but >>> clamscan does. >>> >>> [EMAIL PROTECTED] aeiadm]# clamdscan /tmp/180334 >>> /tmp/180334: OK >>> >>> ----------- SCAN SUMMARY ----------- >>> Infected files: 0 >>> Time: 0.033 sec (0 m 0 s) >>> >>> >>> [EMAIL PROTECTED] aeiadm]# clamscan /tmp/180334 >>> /tmp/180334: Phishing.Heuristics.Email.SSL-Spoof FOUND >>> >>> ----------- SCAN SUMMARY ----------- >>> Known viruses: 224289 >>> Engine version: 0.92 >>> Scanned directories: 0 >>> Scanned files: 1 >>> Infected files: 1 >>> Data scanned: 0.04 MB >>> Time: 2.207 sec (0 m 2 s) >>> >>> Dell 850 hardware >>> Latest CentOS 4 software >>> clamav 0.92 installed from scratch with ./configure >>> --disable-zlib-vcheck --sysconfdir=/etc >>> >>> I have a copy of the message in question if one of the devs would like a >>> copy. >>> >> Two questions just to clarify... >> >> Does output of the "clamconf" command contain: >> PhishingScanURLs = yes >> >> >> If you stop/restart clamd does it still miss the sample? >> > > Interesting. PhishingScanURLs was no (hard coded), changing it to yes > makes clamdscan see it.
Many people like to set this to "no" because of a relatively high false positive rate. > > How ever the reason I saw it was because a message came in on mail > server 3 last night and was not caught, but the message was then > forwarded to a user on mail server 2 where it was rejected by clamdscan. > > Now, mail server 2 did not see the virus this morning when I checked it > again but it obviously did last night when PhishingScanURLs = no. > > Any reason for that that you can see ? clamscan doesn't use the options set in clamd.conf. -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
