hello Is there any way to make clamav test custom virus signature files before it scans its main signature database? I know its one of those "why would you want to do this " questions
In this case I want to block certain macro viruses based on custom sigs if stuff isn't found but macros are I want the files to be labelled as containing macros via the heuristic scan engine. I'm then using a custom virus scan line in exim to label macro containing documents as not all of them are going to be malicious. I know of legitimate use of macro documents at my employer so blocking them isn't an option in this case that doesn’t stop our customers opening the really dodgy ones though :( so the full logic I want is ... 1)scan for specific custom viri if found >Deny Message 2)a)if a virus is found from main clamav signature database > Deny Message b)if no custom viri and no main database match found but macro is > Accept but label message as containing macros (this works flawlessly) c)If no virus found and no macro found > Accept Message I've debugged the exim config by setting it to only scan for my custom definition I've checked the clamav logs and my test file was still being labelled as heuristicscontainsmacros the only way I can get clamav to detect my custom definition is if i turn off heuristic macro detection which destroys the belt and braces approach I want to achieve. Ive also turned heuristicscanpreference off and on to no avail. I am aware it makes perfect sense to scan using the main official virus database first then custom definitions but i do think that heuristics definitions should be third in the pecking order behind definitions found in custom sig files. any ideas? thanks Adam Massey _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
