--- /dev/null
+
+<group name="clamd,freshclam,">
+
+ <rule id="52500" level="0" noalert="1">
+ <decoded_as>clamd</decoded_as>
+ <description>Grouping of the clamd rules.</description>
+ </rule>
+
+ <rule id="52501" level="0" noalert="1">
+ <decoded_as>freshclam</decoded_as>
+ <description>ClamAV database update</description>
+ </rule>
+
+ <rule id="52502" level="8">
+ <if_sid>52500</if_sid>
+ <match>FOUND</match>
+ <description>Virus detected</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52503" level="10">
+ <if_sid>52500</if_sid>
+ <match>^ERROR: </match>
+ <description>Clamd error</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52504" level="7">
+ <if_sid>52500</if_sid>
+ <match>^WARNING: </match>
+ <description>Clamd warning</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52505" level="3">
+ <if_sid>52500</if_sid>
+ <match>clamd daemon</match>
+ <description>Clamd restarted</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52506" level="3">
+ <if_sid>52500</if_sid>
+ <match>Database modification detected</match>
+ <description>Clamd database updated</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52507" level="3">
+ <if_sid>52501</if_sid>
+ <match>ClamAV update process started </match>
+ <description>ClamAV database update</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52508" level="3">
+ <if_sid>52501</if_sid>
+ <match>Database updated </match>
+ <description>ClamAV database updated</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52509" level="0">
+ <if_sid>52501</if_sid>
+ <match>Incremental update failed|Error while reading database from|Update failed.</match>
+ <description>Could not download the incremental virus definition updates.</description>
+ </rule>
+
+</group> <!-- clamd, freshclam -->