On 2009-10-22 10:25, Per Jessen wrote: > I use the official clamav databases plus third party signatures from > sanesecurity to scan email for virus - when an email would potentially > hit two signatures, it seems to prefer the third party over the > official clamav sigs. Is this intentional or am I missing something? > A recent example is Email.Trojan.GZC aka Sanesecurity.Malware.8825. >
When one signature matches on a file, the scan stops and the virusname for the matched signature is reported. If the Sanesecurity signature matches first, then that one is reported. This is the sanesecurity signature: Sanesecurity.Malware.8825:4:*:556e666f7274756e6174656c792077652077657265206e6f742061626c6520746f2064656c6976657220706f7374616c207061636b61676520796f752073656e74206f6e*506c65617365207072696e74206f75742074686520696e766f69636520636f707920617474616368656420616e6420636f6c6c65637420746865207061636b616765206174206f7572 This is the Email.Trojan.GZC signature: Email.Trojan.GZC:4:*:506c65617365207072696e74206f75742074686520696e766f69636520636f707920617474616368656420616e6420636f6c6c65637420746865207061636b616765206174206f7572206f6666696365 The Sanesecurity signature's second part is a prefix of the Email.Trojan.GZC signature, so Email.Trojan.GZC will never match with sanesecurity signatures loaded. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
