[EMAIL PROTECTED] wrote: > Thanks for the reply Dennis. The 'virus' is actually a Phishing > attempt from the 02/04 def update thats hitting on the logwatch email > here is the line from the clamd.log > > Thu Feb 7 10:27:47 2008 -> > /var/spool/MailScanner/incoming/13948/29EC821AC463.28768.message: > Email.Phishing.RB-2646 FOUND > > Is there any way to find out what that phishing item is hitting on? > > Thanks!
Please resist the urge to top-post. Of course it's possible to find what you wish. You have the pattern name so go to your database directory and grep for that name in the files there. In my environment I found that in the daily.ndb file. When you grep for the name you will have returned to you a long string of hex characters. Copy those characters and paste them into the Hex window at http://nickciske.com/tools/hex.php then select decode. It will show you the string of characters that ClamAV is looking for. I'd paste it in here for you but many mailers would reject this message. If you can't get the hex string from your system, here is a copy you can paste into the URL above: 687474703a2f2f63697469627573696e6573736f6e6c696e652e64612d75732e6369746962616e6b2e636f6d2e It may line-wrap - there are no natural line breaks in it. Anyway, it decodes to a bogus citibank URL. Check your problem file to see if citibank shows up in it. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
