> The script I use has a bit more finesse than this simple overview. I use a > randomizer to prevent this process from running at the same minute past > the hour
Note there's a *tiny* chance if the script runs at 10.07 and then 11.03, you'll get temp block for an hour from some of the mirrors, depending if they have setup hourly "abuse" checks. > > If Steve puts all is changes at the end of the file then this can be very > efficient. If changes are scattered around the files then not so much. 99% of the time they are are all added at the end of the file now, which means it's much more efficient then it used to be. As for the databases to use, well it's up to the end user but if I was only interested in malware only... I'd use: phish.ndb rougue.hdb winnow_malware_links.ndb winnow_malware.hdb For example: Some malware in my "to look at" folder this morning... Sanesecurity only (phish.ndb/rougue.hdb) Scanned files: 226 Infected files: 135 Official only: Scanned files: 226 Infected files: 119 winnow malware didn't hit. The phish.ndb inclusion may seem a little odd... but the following two sig types can block the email(s) that: a) contains the link(s) to malware or malware serving website b) contain a malware attachment: Sanesecurity.Malware Sanesecurity.Phishing.Fake But wwith any of the scripts, you can pick and choose what you want :) Cheers, Steve Sanesecurity _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
