[Clamav-users] Check up database integrity and restart daemon Help?
I am getting this error message in my root e-mail: Could not connect to ClamAV daemon: Connection refused Looks like ClamAV daemon is not OK. Check up database integrity and restart daemon I cannot find any information for how to do what the above error message suggests. If the information is in the man page for ClamAv where and what is it? I also can't find any information on how to use this clamdmon and there is no man page for it. I am running this on PCLinuxOS 2007, ClamAV version 0.90.3-1pclos2007 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Check up database integrity and restart daemon Help?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 linuxmaillists wrote: I am getting this error message in my root e-mail: Could not connect to ClamAV daemon: Connection refused Looks like ClamAV daemon is not OK. Check up database integrity and restart daemon I cannot find any information for how to do what the above error message suggests. If the information is in the man page for ClamAv where and what is it? No it's not in the manpage, the procedure depends on what you have installed alongside clamd, clamdmon is obvious, some script that downloads third party databases probably, perhaps something else. I also can't find any information on how to use this clamdmon and there is no man page for it. Clamdmon is a program and a script, you are receiving the email that the script sends (from cron) when it detects a problem. The script also tries to restart clamd, so first thing is to check if clamd is running (the script was successful restarting clamd), if not then you should look into the clamd log and see, at the end, if an error is reported; perhaps that will give you enough clues to determine what is wrong. If clamd still can't start, then you probably have to move out of the way each of the 3rd party databases, and see which one is the cause of the problem. - -- René Berber -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Cygwin) iD8DBQFHIFcTL3NNweKTRgwRCBGrAKDHqxr/i4XEXkFirlRPHEuy+TCOVACfahtV f6Cpv/+35P1g6VgW/CT2RiE= =maL2 -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV patch download not working in South Africa
Hi, In our organisation we are using a customized Linux server in 40+ locations around the world. It is using ClamAV for virus checking. Yesterday, our office in South Africa reported that they were not able to download the new daily-.cdiff file for more than a day. They are running version clamav-0.91.2, the same as the other offices. Since the setup is identical to the other locations, the problem can't be a bug in the software setup. Could you confirm whether the local server db.za.clamav.net had a problem yesterday ? Is that problem solved now ? Thanks, Bye, Andrea The e-mail message from Cron Daemon says: ERROR: getpatch: Can't download daily-4580.cdiff from db.za.clamav.net ERROR: getpatch: Can't download daily-4580.cdiff from db.za.clamav.net ERROR: getpatch: Can't download daily-4580.cdiff from db.za.clamav.net ERROR: Can't download daily.cvd from db.za.clamav.net The logfile shows the following: rsa:/var/log/clamav$tail freshclam.log ERROR: getpatch: Can't download daily-4580.cdiff from db.local.clamav.net Ignoring mirror 130.59.10.34 (due to previous errors) Ignoring mirror 193.1.193.64 (due to previous errors) ERROR: getpatch: Can't download daily-4580.cdiff from db.local.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Ignoring mirror 193.1.193.64 (due to previous errors) Ignoring mirror 130.59.10.34 (due to previous errors) ERROR: Can't download daily.cvd from db.local.clamav.net Giving up on db.local.clamav.net... Update failed. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Check up database integrity and restart daemon Help?
On Thursday 25 October 2007 04:42:59 René Berber wrote: linuxmaillists wrote: I am getting this error message in my root e-mail: Could not connect to ClamAV daemon: Connection refused Looks like ClamAV daemon is not OK. Check up database integrity and restart daemon I cannot find any information for how to do what the above error message suggests. If the information is in the man page for ClamAv where and what is it? No it's not in the manpage, the procedure depends on what you have installed alongside clamd, clamdmon is obvious, some script that downloads third party databases probably, perhaps something else. I also can't find any information on how to use this clamdmon and there is no man page for it. Clamdmon is a program and a script, you are receiving the email that the script sends (from cron) when it detects a problem. The script also tries to restart clamd, so first thing is to check if clamd is running (the script was successful restarting clamd), if not then you should look into the clamd log and see, at the end, if an error is reported; perhaps that will give you enough clues to determine what is wrong. If clamd still can't start, then you probably have to move out of the way each of the 3rd party databases, and see which one is the cause of the problem. Thanks for the info ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV patch download not working in South Africa
I'm having a similar trouble with my clamav. I'm using the rpm from rpmforge. Andrea Wachter wrote: Hi, In our organisation we are using a customized Linux server in 40+ locations around the world. It is using ClamAV for virus checking. Yesterday, our office in South Africa reported that they were not able to download the new daily-.cdiff file for more than a day. They are running version clamav-0.91.2, the same as the other offices. Since the setup is identical to the other locations, the problem can't be a bug in the software setup. Could you confirm whether the local server db.za.clamav.net had a problem yesterday ? Is that problem solved now ? Thanks, Bye, Andrea The e-mail message from Cron Daemon says: ERROR: getpatch: Can't download daily-4580.cdiff from db.za.clamav.net ERROR: getpatch: Can't download daily-4580.cdiff from db.za.clamav.net ERROR: getpatch: Can't download daily-4580.cdiff from db.za.clamav.net ERROR: Can't download daily.cvd from db.za.clamav.net The logfile shows the following: rsa:/var/log/clamav$tail freshclam.log ERROR: getpatch: Can't download daily-4580.cdiff from db.local.clamav.net Ignoring mirror 130.59.10.34 (due to previous errors) Ignoring mirror 193.1.193.64 (due to previous errors) ERROR: getpatch: Can't download daily-4580.cdiff from db.local.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Ignoring mirror 193.1.193.64 (due to previous errors) Ignoring mirror 130.59.10.34 (due to previous errors) ERROR: Can't download daily.cvd from db.local.clamav.net Giving up on db.local.clamav.net... Update failed. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html -- Milton Calnek BSc, A/Slt(Ret.) [EMAIL PROTECTED] 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Recent viruses
I received some emails yesterday matching the following: Infected messages: Email.Ecard-28: 2 Message(s) Email.Phishing.RB-1804: 2 Message(s) Email.Phishing.RB-1806: 2 Message(s) I think these are ClamAV-specific names, how can I find out more detailed info on each one? I do not see them anywhere on the web. Any help would be greatly appreciated. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
Gomes, Rich wrote: I received some emails yesterday matching the following: Infected messages: Email.Ecard-28: 2 Message(s) Email.Phishing.RB-1804: 2 Message(s) Email.Phishing.RB-1806: 2 Message(s) I think these are ClamAV-specific names, how can I find out more detailed info on each one? I do not see them anywhere on the web. Any help would be greatly appreciated. There are no naming standards and it doesn't look like any initiative to create one is going anywhere. The problem is each AV vendor has to call it something (I actually don't agree with this, but sexy names sell product). So what do you call a virus you've not seen before? I suppose you could submit it to all the other vendors' systems to see if they have a name for it and adopt that, but then that's a lot of work and there are no returns. And what if you are the first to discover it? You can't wait around for a committee to come up with a name so you call it something and release the update. As you know, within a day all the vendors will have discovered that same virus and will also go through this same drill. If you think about it, vendor A using vendor B's names is an admission that vendor A was not the first to discover it, and that means vendor B is going to look better in reviews. My bottom line is, I really don't care what they're called. A simple serial number would be fine with me. The names mean more to the popular press than anyone else on the planet because they make great headlines. A name that is also the date discovered would be even better as I could voluntarily remove any old virus patterns I think are obsolete. This addresses another issue - AV vendors get a big plus for showing they have a bizzillion patterns in their database. I don't care - if that represents something that was an issue in 1987 it is not a problem for me today. Get rid of it. How to get more detail? You can translate (they're hex encoded) the record for the the virus name and read what the pattern is. This is especially true for the phishing and text based viruses. Less useful for viruses found in executable files. One final point: phishing and scam mails will not necessarily have a corresponding identity with other vendors. They may not provide phishing and scam protection, for one thing, and for another the manner of detecting them is entirely arbitrary. Vendor A might look for embedded URL's in the message where vendor B might look for repeating misspelled words or unusual phrasing in the same message. In other words there is no guarantee of a match with any other vendor. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
Dennis, Thanks for the reply. I understand all of what you are saying, having worked as a sysadmin for many years now. My issue is that even with most vendors using different naming conventions, they are usually cross-reference in any technical info that is out there. I can't find any data on these messages and would like to know what other malware names they match up to so I can present it to management. At this point I can't even give a risk assessment. Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Thursday, October 25, 2007 12:54 PM To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Gomes, Rich wrote: I received some emails yesterday matching the following: Infected messages: Email.Ecard-28: 2 Message(s) Email.Phishing.RB-1804: 2 Message(s) Email.Phishing.RB-1806: 2 Message(s) I think these are ClamAV-specific names, how can I find out more detailed info on each one? I do not see them anywhere on the web. Any help would be greatly appreciated. There are no naming standards and it doesn't look like any initiative to create one is going anywhere. The problem is each AV vendor has to call it something (I actually don't agree with this, but sexy names sell product). So what do you call a virus you've not seen before? I suppose you could submit it to all the other vendors' systems to see if they have a name for it and adopt that, but then that's a lot of work and there are no returns. And what if you are the first to discover it? You can't wait around for a committee to come up with a name so you call it something and release the update. As you know, within a day all the vendors will have discovered that same virus and will also go through this same drill. If you think about it, vendor A using vendor B's names is an admission that vendor A was not the first to discover it, and that means vendor B is going to look better in reviews. My bottom line is, I really don't care what they're called. A simple serial number would be fine with me. The names mean more to the popular press than anyone else on the planet because they make great headlines. A name that is also the date discovered would be even better as I could voluntarily remove any old virus patterns I think are obsolete. This addresses another issue - AV vendors get a big plus for showing they have a bizzillion patterns in their database. I don't care - if that represents something that was an issue in 1987 it is not a problem for me today. Get rid of it. How to get more detail? You can translate (they're hex encoded) the record for the the virus name and read what the pattern is. This is especially true for the phishing and text based viruses. Less useful for viruses found in executable files. One final point: phishing and scam mails will not necessarily have a corresponding identity with other vendors. They may not provide phishing and scam protection, for one thing, and for another the manner of detecting them is entirely arbitrary. Vendor A might look for embedded URL's in the message where vendor B might look for repeating misspelled words or unusual phrasing in the same message. In other words there is no guarantee of a match with any other vendor. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
On 10/25/07, Gomes, Rich [EMAIL PROTECTED] wrote: Dennis, Thanks for the reply. I understand all of what you are saying, having worked as a sysadmin for many years now. My issue is that even with most vendors using different naming conventions, they are usually cross-reference in any technical info that is out there. I can't find any data on these messages and would like to know what other malware names they match up to so I can present it to management. At this point I can't even give a risk assessment. The trouble is, that takes time, time that has to be paid for (or donated free). One option would be to submit the viruses to the likes of VirusTotal, to see what the other vendor's call it. You, and others, could then create a comparison page that allowed you to search for a virus signature name and see what other products call it. Somebody else used to manage a page like this, but I don't know if it's still being done. Not perfect I know, but right now I suspect it's the only way. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
Gomes, Rich wrote: Dennis, Thanks for the reply. I understand all of what you are saying, having worked as a sysadmin for many years now. My issue is that even with most vendors using different naming conventions, they are usually cross-reference in any technical info that is out there. I can't find any data on these messages and would like to know what other malware names they match up to so I can present it to management. At this point I can't even give a risk assessment. Rich Since what we're talking about is phishing and scams, the risk is subjective. If you have an above average for intelligence user base then there is no risk. If you're surrounded by click monkeys that follow every link they ever get then the risk is high. These particular viruses are not going to launch on opening and roll through your environment like a fire storm. I also don't think anyone is going to burn a lot of effort cross-tracking these things because there's no money in it and it's a large amount of work to submit perfect copies of each scam to a number of vendors looking for a hit and then databasing them. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
Hey Gomes, list, I think it's not a big deal to configure your MTA/clamav to make a copy of such files, you can take a look on it when you are curious what was it ;-). Names are not really important. just my 0.03 cents Regards, /rl Gomes, Rich wrote: I received some emails yesterday matching the following: Infected messages: Email.Ecard-28: 2 Message(s) Email.Phishing.RB-1804: 2 Message(s) Email.Phishing.RB-1806: 2 Message(s) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
Would anyone know the syntax for such? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thorolf Sent: Thursday, October 25, 2007 4:55 PM To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Hey Gomes, list, I think it's not a big deal to configure your MTA/clamav to make a copy of such files, you can take a look on it when you are curious what was it ;-). Names are not really important. just my 0.03 cents Regards, /rl Gomes, Rich wrote: I received some emails yesterday matching the following: Infected messages: Email.Ecard-28: 2 Message(s) Email.Phishing.RB-1804: 2 Message(s) Email.Phishing.RB-1806: 2 Message(s) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
On Thu, October 25, 2007 3:04 pm, Gomes, Rich said: Would anyone know the syntax for such? What's your MTA, and how are you calling clamav? It all depends on your setup. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
Sendmail, called by a milter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel T. Staal Sent: Thursday, October 25, 2007 3:23 PM To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Recent viruses On Thu, October 25, 2007 3:04 pm, Gomes, Rich said: Would anyone know the syntax for such? What's your MTA, and how are you calling clamav? It all depends on your setup. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
Do you give risk assessments of each and every virus caught, then? That would be a complete waste of time. But, just to let you know the risks we're talking about here: eCard stuff: emails containing either a link to a website pushing Trojans onto the PCs of those stupid enough to visit; or a .zip attachment containing a Trojan. The risk? Malware on your PC, data harvesting, turning PC into a spambot, etc. The phishing ones usually contain links to fake bank sites in an attempt to harvest people's usernames and passwords, and thence their money. The risk is of your staff being fleeced, quickly followed by legal action by them against management for failure in their duty of care for their employees (by not blocking these phishing emails they are aiding and abetting the criminals). And if you really have to argue the case individually for each and every virus pattern in your antivirus products' databases, you should start seeking a new job right now. Cheers, Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gomes, Rich Sent: 25 October 2007 18:20 To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Dennis, Thanks for the reply. I understand all of what you are saying, having worked as a sysadmin for many years now. My issue is that even with most vendors using different naming conventions, they are usually cross-reference in any technical info that is out there. I can't find any data on these messages and would like to know what other malware names they match up to so I can present it to management. At this point I can't even give a risk assessment. Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Thursday, October 25, 2007 12:54 PM To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Gomes, Rich wrote: I received some emails yesterday matching the following: Infected messages: Email.Ecard-28: 2 Message(s) Email.Phishing.RB-1804: 2 Message(s) Email.Phishing.RB-1806: 2 Message(s) I think these are ClamAV-specific names, how can I find out more detailed info on each one? I do not see them anywhere on the web. Any help would be greatly appreciated. There are no naming standards and it doesn't look like any initiative to create one is going anywhere. The problem is each AV vendor has to call it something (I actually don't agree with this, but sexy names sell product). So what do you call a virus you've not seen before? I suppose you could submit it to all the other vendors' systems to see if they have a name for it and adopt that, but then that's a lot of work and there are no returns. And what if you are the first to discover it? You can't wait around for a committee to come up with a name so you call it something and release the update. As you know, within a day all the vendors will have discovered that same virus and will also go through this same drill. If you think about it, vendor A using vendor B's names is an admission that vendor A was not the first to discover it, and that means vendor B is going to look better in reviews. My bottom line is, I really don't care what they're called. A simple serial number would be fine with me. The names mean more to the popular press than anyone else on the planet because they make great headlines. A name that is also the date discovered would be even better as I could voluntarily remove any old virus patterns I think are obsolete. This addresses another issue - AV vendors get a big plus for showing they have a bizzillion patterns in their database. I don't care - if that represents something that was an issue in 1987 it is not a problem for me today. Get rid of it. How to get more detail? You can translate (they're hex encoded) the record for the the virus name and read what the pattern is. This is especially true for the phishing and text based viruses. Less useful for viruses found in executable files. One final point: phishing and scam mails will not necessarily have a corresponding identity with other vendors. They may not provide phishing and scam protection, for one thing, and for another the manner of detecting them is entirely arbitrary. Vendor A might look for embedded URL's in the message where vendor B might look for repeating misspelled words or unusual phrasing in the same message. In other words there is no guarantee of a match with any other vendor. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
No I do not, thats a ridiculous question. I have reason to be concerned in this particluar instance, lets leave it at that. I was only looking for some kind of technical info on these particluar variants. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randal, Phil Sent: Thursday, October 25, 2007 4:01 PM To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Do you give risk assessments of each and every virus caught, then? That would be a complete waste of time. But, just to let you know the risks we're talking about here: eCard stuff: emails containing either a link to a website pushing Trojans onto the PCs of those stupid enough to visit; or a .zip attachment containing a Trojan. The risk? Malware on your PC, data harvesting, turning PC into a spambot, etc. The phishing ones usually contain links to fake bank sites in an attempt to harvest people's usernames and passwords, and thence their money. The risk is of your staff being fleeced, quickly followed by legal action by them against management for failure in their duty of care for their employees (by not blocking these phishing emails they are aiding and abetting the criminals). And if you really have to argue the case individually for each and every virus pattern in your antivirus products' databases, you should start seeking a new job right now. Cheers, Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gomes, Rich Sent: 25 October 2007 18:20 To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Dennis, Thanks for the reply. I understand all of what you are saying, having worked as a sysadmin for many years now. My issue is that even with most vendors using different naming conventions, they are usually cross-reference in any technical info that is out there. I can't find any data on these messages and would like to know what other malware names they match up to so I can present it to management. At this point I can't even give a risk assessment. Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Thursday, October 25, 2007 12:54 PM To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Gomes, Rich wrote: I received some emails yesterday matching the following: Infected messages: Email.Ecard-28: 2 Message(s) Email.Phishing.RB-1804: 2 Message(s) Email.Phishing.RB-1806: 2 Message(s) I think these are ClamAV-specific names, how can I find out more detailed info on each one? I do not see them anywhere on the web. Any help would be greatly appreciated. There are no naming standards and it doesn't look like any initiative to create one is going anywhere. The problem is each AV vendor has to call it something (I actually don't agree with this, but sexy names sell product). So what do you call a virus you've not seen before? I suppose you could submit it to all the other vendors' systems to see if they have a name for it and adopt that, but then that's a lot of work and there are no returns. And what if you are the first to discover it? You can't wait around for a committee to come up with a name so you call it something and release the update. As you know, within a day all the vendors will have discovered that same virus and will also go through this same drill. If you think about it, vendor A using vendor B's names is an admission that vendor A was not the first to discover it, and that means vendor B is going to look better in reviews. My bottom line is, I really don't care what they're called. A simple serial number would be fine with me. The names mean more to the popular press than anyone else on the planet because they make great headlines. A name that is also the date discovered would be even better as I could voluntarily remove any old virus patterns I think are obsolete. This addresses another issue - AV vendors get a big plus for showing they have a bizzillion patterns in their database. I don't care - if that represents something that was an issue in 1987 it is not a problem for me today. Get rid of it. How to get more detail? You can translate (they're hex encoded) the record for the the virus name and read what the pattern is. This is especially true for the phishing and text based viruses. Less useful for viruses found in executable files. One final point: phishing and scam mails will not necessarily have a corresponding identity with other vendors. They may not provide phishing and scam protection, for one thing, and for another the manner of detecting them is entirely arbitrary. Vendor A might look for embedded URL's in the message where vendor B might look for repeating misspelled words or unusual phrasing in the same message. In other words there is no guarantee of a match with any other vendor. dp ___ Help us