Dennis Peterson wrote: > Noel Jones wrote: >> Darren G Pifer wrote: >>> Chambers, Phil wrote: >>>> Take a look at >>>> >>>> http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf >>>> >>> I have seen this document but it does not show how to add signatures >>> to a database OR for clamd to detect the phishing e-mail. I was able >>> to create the signature (a .hbd file) and clamscan detects the phishing >>> but clamd does not. Maybe I am missing something. >>> >> If the sig works with clamscan, it will also work with clamdscan. >> Clamd must be stopped and restarted to recognize new signature >> files. >> >> Make sure you have the latest version of clamav. >> >> > > I think there are times when a milter might pull an incoming message > apart and submit it in pieces to clamd that creates a different > situation than scanning a message that is whole, and stored as a disk > file. In this case two entirely different objects are being scanned, and > depending on the way the signature was defined, there can be differences > in the results. > > dp
That's true. There are some milters and such that try to be helpful and unpack/demime mail into its component parts, causing signatures designed to scan the complete mail to not work. However, there was a time not too long ago (maybe 0.93.1) that some signatures worked with clamscan but were silently ignored by clamdscan. This was seen with command-line file scanning of a static file, no milter/filter/whatever involved. There was discussion here about it at the time. So make sure you have the latest version, which is never bad advice when dealing with (seemingly) inconsistent behavior. -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
