On 15/10/2020 2:48 μ.μ., Dominic Raferd wrote:
It is unlikely that clamav is not reading its official databases, but
it is very rare for viruses to be found through the official
databases, so the hits you will see in the real world will come from
the unofficial databases (which need to be updated regularly too).
Worth checking your clamav settings (e.g. in /etc/clamav/clamd.conf).
Dominic, thanks for you feedback.
I use the scamp script (as I described) for additional definitions.
Databases seem to be updated fine.
So you think that my installed databases might simply be inefficient to
identify the viruses we are receiving?
Do you have any suggestions on additional reliable definition databases?
Which would you suggest to add and how?
Please advise!
I think you need to revisit your settings for
@virus_name_to_spam_score_maps.
I remember I had made this configuration because we were having false
positives and I had found an article regarding this approach, which I
decided to follow.
This doesn't seem to be the problem, because the infected attachments
are simply found CLEAN; they do not belong in this class (which is
converted to spam).
Note that the only mail message that was identified as "AV infection"
turned "into a spam report" was the test message I sent, deliberately
infected with EICAR-test-virus signature.
Cheers,
Nick