On Mon, 13 Sep 2010 12:48:29 -0400 Alex <mysqlstud...@gmail.com> wrote:
> Hi, > > We had a user report that their email was tagged with > winnow.botnets.zu.zeus.4637.UNOFFICIAL, > according to the logs. How can > I track this, and determine which database it was The UNOFFICIAL suffix indicates it is in a 3rdparty DB. The winnow prefix tells you that you should look for a winnow.ndb or something similar. Since these DBs cannot be packed CVD files, you can find the signature with a simple grep: grep -R winnow.botnets.zu.zeus.4637 /path/to/dbdir > that contains this > pattern, and why it considered this email to contain this virus? If you just want the signature you can use 'sigtool -fwinnow.botnets.zu.zeus.4637' Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
