Mark Martinec wrote the following on 5/21/2007 5:06 PM
-0800:
> Bill,
>
>
>> I've noticed that when multiple message parts match
different clamav
>> signatures, *all* the signature names must be
listed in
>>  virus_name_to_spam_score_maps for it to be considered
spam.
>>
>
> Yes, as documented in RELEASE_NOTES:
>
> [...] When a virus scanner returns
> names of viruses, and all provided names are matched
by the
> virus_name_to_spam_score_maps, and no other virus
scanner has
> anything more sinister to report, then a message is
_not_ flagged
> as a virus, but a corresponding spam score is
contributed to other
> spam results [...]
>
> This is a key issue here.
>
> Your test example after enabling /^MAIL$/ (which
requests that
> a full message is passed to virus scanners, besides
each decoded
> part), clamd starts to report _two_ malware names.
>
Mark, can you tell me why the Email.Malware are still not
detected
without enabling /^MAIL$/? I would like to keep virus scan
processing
to a minimum, but if I disable /^MAIL$/, then Email.Malware
messages are
not detected.
> As the 'Phishing.Email' was not in your virus_name_to_spam_score_maps
> list, such mail did not fulfill the requirement that
_all_ reported
> names must be in the list for the result to be turned
into spam,
> so you ended up with a quarantined 'virus'.
Thanks for the explanation, and thanks to Noel for his
assistance in
figuring this out off-list over the weekend.
Bill
------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
