> PS - Here is a follow-up question... is there a way to get ClamAv to > search SOME signature DBs before others? That way, "low risk" could be > put head of "medium risk" ones. That way, if a low risk one has a hit, > its score wouldn't be watered down by a "high risk" rule hitting it > first and then watering down the score, using the system described above. Hi Rob, Nope... external scoring isn't the whole answer but might help, eg: # @av_scanners = (); # @av_scanners_backup = (); # $first_infected_stops_scan = undef; # $viruses_that_fake_sender_re = undef; # @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re, 1); # @virus_name_to_spam_score_maps = # (new_RE( # the order matters! # [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ], # [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ], # [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ], # [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep infected # [ qr'^Sanesecurity\.' => 0.1 ], # [ qr'^Sanesecurity_PhishBar_' => 0 ], # [ qr'^Sanesecurity.TestSig_' => 0 ], # [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], # [ qr'^Email\.Spammail\b' => 0.1 ], # [ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ], # [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ], # [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ], # [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ], # [ qr'^Safebrowsing\.' => 0.1 ], # [ qr'^winnow\.(phish|spam)\.' => 0.1 ], # [ qr'^INetMsg\.SpamDomain' => 0.1 ], # [ qr'^Doppelstern\.(Scam4|Phishing)' => 0.1 ], # [ qr'^ScamNailer\.' => 0.1 ], # [ qr'^HTML/Bankish' => 0.1 ], # F-Prot # [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected # [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives # [ qr'^MBL_' => undef ], # keep as infected # )); Cheers, Steve Sanesecurity