Hi, >> winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can
> That signature is not is our active database. When did you last update your > files? zeus urls and IP come and go as machines are infected and cleaned so > you must keep your rules current. # ls -l winnow_malware_links.ndb -rw-r--r-- 1 vscan vscan 489480 Sep 12 19:47 winnow_malware_links.ndb The user also reported this on an email that was received on the 9th, I believe. I'm also wondering how a domain name, which is what triggered this rule, is found within this hash: # sigtool -fwinnow.botnets.zu.zeus.4637 winnow.botnets.zu.zeus.4637:3:*:(2e|2f|40|20|3c)3230352e3137382e3138392e313239(27|22|20|2f|3d|3e|0a|0d) How exactly is that calculated? Thanks, Alex _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml