Hi > > Take INetMsg-SpamDomains-2m.ndb and jurlbla.ndb.... IF they both > > contain the same host name... then the INetMsg-SpamDomains-2m.ndb > > signature name WILL ALWAYS be given out ...because the database is > > loaded by the clamav engine first.. that's why you see the > > INetMsg-SpamDomains name more than the other databases, even if they > > had found a detection too. > > According to Tomasz Kojm (ClamAV Dev Team), this is not correct. > Signature are randomly selected and none are give any priority or another, > not even the official signatures. See, for example: Clamav may not apply any priority, yet it needs to test signatures one after another. And it will report the first one found. So even without priorities, signatures tested earlier will be reported more often. Order of testing will probably not change while the daemon is running. It might even be always the same, IF processing order equals load order and load order depends on directory enumeration, which will usually stay the same on the same file system... But I just realize that this (only reporting ONE match) opens a security hole: IF a virus matches a REAL virus signature as well as a "spam only" signature, and the host is setup to reject virus but only score spam, virus mails might get passed trough, if the spam signature matched first. Therefor I think it would be very helpful to report ALL matches or at least prefer real virus sigantures. Is it currently possible to run two clamav instances in parallel ? Regards, Steffen