Hi,

>> and the filenames are like:
>>
>> -rwxrwxrwx  1 vscan  vscan     12180 Aug  7 13:58 virus.Ywa18d

I think your solution is to rename the files from virus.Ywa18d to just
Ywa18d. It should be the same as the name used in the X-Quarantine-ID
header in the file itself. Make sure it isn't compressed.

I'm also now noticing there are hundreds or thousands of messages
erroneously quarantined as a result of this rule. It appears to expand
to:

# sigtool --find-sigs MBL_303159 | sigtool --decode-sigs
VIRUS NAME: MBL_303159
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
www.inexglobal.com/downloads

Does anyone know what's going on with this domain? It doesn't look
like a domain thousands of my users would be including in their email
on Aug 7th, so I don't know whether the emails were really spam...

Hope this helps.

Regards,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to