Sven Strickroth wrote: > Am 10.08.2007 19:00 schrieb Roberto Ullfig: > >> On 2007-08-10 12:42, Roberto Ullfig wrote: >> Actually, what we see is that nearly all viruses of the form: >> >> Email.Phishing.RB-12... >> >> stopped being detected on Aug 9 15:31 on all 12 of our servers. On one >> server I see only one of >> these being detected this morning. We usually get several a minute. So, what >> could be the cause >> of the absence of this virus all of a sudden? >> > > The bad guys changed the mail-layout and we had to create new signatures. > > And yes: We remove Email.Phishing.RB-* from time to time, when those > become useless to keep a clean/small/fast database. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > What determines a clean/small/fast database? Are these removals logged anywhere? I now notice that all Phishing "viruses" are gone and we're now getting Email.Ecard viruses. Was there a renaming?
Thing is, the way we work is that we run clamav first - any leftovers go to our much more resource intensive spamassassin. Now if you remove a whole bunch of signatures from the database, then spamassassin all of a sudden gets a jump in processing and in some cases are servers are overwhelmed. So, allowing clamav to start ignoring e-mail it was previously blocking is not a nice thing to do. -- Roberto Ullfig - [EMAIL PROTECTED] _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
