Webmaster wrote:
Your signatures are based on HTML (Filetype = 3).
Shouldn't it be based on Mail (Filetype = 4) ?
Interesting... I'll do some tests later today changing the type.
The interesting thing though, is that when you go to the online database
search site http://clamav-du.securesites.net/cgi-bin/clamgrok and type
in "Phishing", Select "contains" and then
tick the "signature" box, you'll get a list of current ClamAV
signatures... the majority of which are type 3.
But you're right... it does work... but would mail format be better?
This could avoid false positive like this one :
- Go to http://www.sanesecurity.com/clamav/
- Save the html page on your hardisk
- Scan the saved web page with your phish.ndb signatures
=> Html.Phishing.Auction.Sanesecurity.06010701 FOUND
Doh ;) Okay...thanks for reporting that one... I'll take a look....
Anyway, thank you for creating signatures. This is usefull for a lot of us.
No problem... just trying to help.
In fact, yesterday the sigs certainly saved me a job yesterday, as this
attempt came in and was blocked by the sig that I
make in November. ClamAV's default sigs didn't know about the virus in
the attachment but I caught it using the content
of the text :)
Eg:
http://groups.google.co.uk/groups?q=sightings+%22picture+is+not+to+your+liking%22&start=0&scoring=d&hl=en&;
Thanks again,
Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
