Michal Kochanowicz wanted us to know: >A user forwarded an email with worm to me. This email passed our >clamav on 2005.09.20 22:10:41 CEST. When I checked forwarded email with >clamscan around 2005.09.21 10:00:00 CEST it correctly detected >Worm.Bagle.Gen-5. >Between an original email and my test there were two auto updates of DB. >How can I chceck if the worm passed because its signature wasn't present >in DB at that time? >I want to know if that worm passed because of stale DB, not because of >other flaw in our AV mechanism.
Go to http://www.clamav.net, go to the mailing lists page, and join the clamav-virusdb mailing list. In it, you would have seen: ClamAV database updated (2005-Sep-20 22:21 +0000): daily.cvd version: 1095 Submission: 108225 Sender: Rafa?? Kupka Added: Worm.Bagle.Gen-5 Virus name alias: Email-Worm.Win32.Bagle.ds (Kaspersky AVP), Win32.HLLM.Beagle.35146 (Drweb) So you got it at 22:10:41 CEST, and the signature was available 22:21 UTC. Sounds like you had a stale DB. Make sure that your freshclam is notifying the daemon to reload the database, rather than clamd itself notice that the files have changed and reads it in for that reason. -- Regards... Todd OS X: We've been fighting the "It's a mac" syndrome with upper management for years now. Lately we've taken to just referring to new mac installations as "Unix" installations when presenting proposals and updates. For some reason, they have no problem with that. -- /. Linux kernel 2.6.11-12mdksmp load average: 0.13, 0.15, 0.10 _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
