On Fri, 28 Jan 2005, Jason Haar wrote:
clamAV (like all other AVs) produces a report stating what the malware is. In the case of Phishing, clamAV tags them as "*.Phishing.*".
Sooooo, change your "blocking agents" to ignore such matches.... Don't be surprised if they don't have the option, but if you use an Open Source Content Filter like Qmail-Scanner or Amavis, then you can change the code.
Easier said than done. First problem is the lack of a consistent naming scheme, making it hard to identify exactly which signatures refer to auto-propagating code, and which don't. More difficult is the problem that ClamAV only reports the *first* match it finds. So a mail that matched both a phishing signature and a virus signature might be reported to be a phishing scheme, and therefore allowed through.
The simplest solution seems to be to write a wrapper around freshclam. After downloading the databases, you need to unpack them, grep out the phishing schemes, and then move only the unpacked versions into your signatures directory. If a reliable naming scheme could be agreed upon, I expect there are several of us on this list who would be willing to write/share such a wrapper.
Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
