Am 13.08.2007 um 18:24 schrieb Roberto Ullfig: > What determines a clean/small/fast database? Are these removals logged > anywhere? I now notice that all Phishing "viruses" are gone and we're > now getting Email.Ecard viruses. Was there a renaming?
The RB signatures are not generic and will usually only catch a certain phishing attempt with a certain URL. The URL's are simply invalid after some time and not used in current phishing mails anymore. So we leave them in the DB for some weeks and then take them out - since there is no mail around anymore that could be caught by the signature. There was no renaming. As Sven explained, the bad guys changed the layout of the mail and the old signatures did not catch them anymore. We received new samples and created new signatures (Email.Ecard-1 to Email.Ecard-26). This signatures worked for about 48 hours and then the layout was changed again. I received a sample yesterday night and added it as Email.Ecard-27. You should see it in your logs frequently at the moment. The new name was used to better reflect the nature of this mail, since it's not exactly phish. > > Thing is, the way we work is that we run clamav first - any > leftovers go > to our much more resource intensive spamassassin. Now if you remove a > whole bunch of signatures from the database, then spamassassin all > of a > sudden gets a jump in processing and in some cases are servers are > overwhelmed. So, allowing clamav to start ignoring e-mail it was > previously blocking is not a nice thing to do. The signatures (RB-12xx) were not removed - the reason was the change in the layout of that mails - and we had to react to it. I try to respond as fast as possible and the new signature was out 30 minutes after receiving the sample yesterday. If there are still mails getting through (Ecard, phishing) please submit the samples. I can't make it without your help - it's a community approach. -- Best regards, Christoph _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
