Paul wrote:
Hi
I have been looking at using the -z option on either clamdscan or
clamscan and stumbled onto some odd behavior.
This is with version 101.1. 101.0 also behaves the same.
Take 2 paultest-010E110713-000 is constructed from test/clam.mail with
the addition of a line of text to the text/plain part of clam.mail which
triggers SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
paule@larch:~# clamscan -z /var/lib/quarantine/paultest-010E110713-000
/var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
/var/lib/quarantine/paultest-010E110713-000:
SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
/var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
/var/lib/quarantine/paultest-010E110713-000:
SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
Anyway to prevent the duplicate signature hits being displayed.
-z, --allmatch
After a match, continue scanning within the file for
additional matches.
.... don't use -z? There's no way I know of to specify which signature
takes precedence during a single scan, so if you're continuing after
you've found a match, I would call it reasonable that you also want to
know all of the signatures that matched. If you only want to report one
signature, then continuing to scan the file seems to be a waste.
If you want to separately report hits from subsets of signatures, you'll
probably need to store them in different directories, and use the -d option:
-d FILE/DIR, --database=FILE/DIR
Load virus database from FILE or load all virus database
files from DIR.
to run multiple, independent scans with each subset of signatures. This
way you can pick which set to check in which order, and skip further
processing as desired based on the results.
-kgd
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
