[clamav-users] How to purge a CustomDatabaseURL File from clamav completely?

[info at schroeffu.ch]

Thx G.W. and J.R for your answers.

Yes i deleted the line in /etc/clamav/freshclam.conf ~2 weeks ago already, before it was:

DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfo.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfo.ign2
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/javascript.ndb
#DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(personal url path here, removed)/securiteinfohtml.hdb ##deleted this line completely
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfoascii.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfoold.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfopdf.hdb

> Perhaps freshclam simply replaced the deleted database, did you check?

Yes, the file is not re-created in /var/lib/clamav/securiteinfohtml.hdb

But even with server reboot the signatures from that file are still hitting, for example:

Wed, 01 Jan 2020 21:45:17 CET
Clamd: msg-137649-12.html was infected: SecuriteInfo.com.HTML-8188.UNOFFICIAL

Update: Ohh, just while writhing this mail i searched for "HTML-8188" in any file at /var/lib/clamav/* and now I see the javascript.ndb is containing this Signature too. My fault! My guess Signatures named with HTML-* are from securiteinfohtml.hdb ... Sorry!

root at XXX01:/var/lib/clamav# grep -Ri HTML-8188 *
javascript.ndb:SecuriteInfo.com.HTML-8188:3:*:2f2f636c636b2e7275
javascript.ndb:SecuriteInfo.com.HTML-8188:3:*:2f2f7777772e6d617a696e67657267696a6f6e2e636f6d

All good :-) Going to remove javascript.ndb too. Sorry again.