edwintorok at gmail
Oct 22, 2009, 1:13 AM
Post #2 of 2
(394 views)
Permalink
|
|
Re: third party signatures are given preference ?
[In reply to]
|
|
On 2009-10-22 10:25, Per Jessen wrote:
> I use the official clamav databases plus third party signatures from
> sanesecurity to scan email for virus - when an email would potentially
> hit two signatures, it seems to prefer the third party over the
> official clamav sigs. Is this intentional or am I missing something?
> A recent example is Email.Trojan.GZC aka Sanesecurity.Malware.8825.
>
When one signature matches on a file, the scan stops and the virusname
for the matched signature is reported.
If the Sanesecurity signature matches first, then that one is reported.
This is the sanesecurity signature:
Sanesecurity.Malware.8825:4:*:556e666f7274756e6174656c792077652077657265206e6f742061626c6520746f2064656c6976657220706f7374616c207061636b61676520796f752073656e74206f6e*506c65617365207072696e74206f75742074686520696e766f69636520636f707920617474616368656420616e6420636f6c6c65637420746865207061636b616765206174206f7572
This is the Email.Trojan.GZC signature:
Email.Trojan.GZC:4:*:506c65617365207072696e74206f75742074686520696e766f69636520636f707920617474616368656420616e6420636f6c6c65637420746865207061636b616765206174206f7572206f6666696365
The Sanesecurity signature's second part is a prefix of the
Email.Trojan.GZC signature, so Email.Trojan.GZC will never match with
sanesecurity signatures loaded.
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
|
