diff --git a/DOC/clamav/README.get-signature-info b/DOC/clamav/README.get-signature-info new file mode 100644 index 0000000..543150b --- /dev/null +++ b/DOC/clamav/README.get-signature-info @@ -0,0 +1,22 @@ +# ---------- +# Get signature info (decode signatur) +# ---------- + +# - See also: https://lists.gt.net/clamav/users/73547 + +# - If yoe see something like +# - +# - May 15 15:49:56 mx amavis[19815]: (19815-17) Blocked INFECTED (MBL_27966083.UNOFFICIAL) +# - +# - you can get some infos about the blockin signatur (MBL_27966083.UNOFFICIAL) +# - using clamav's 'sigtool' (ommit '.UNOFFICIAL' if present: +# - +sigtool --find-sigs MBL_27966083 | sigtool --decode-sigs +sigtool --find-sigs=MBL_27966083 | sigtool --decode-sigs + +# - Output of that command is: +# - +VIRUS NAME: MBL_27966083 +DECODED SIGNATURE: +https://docs.google.com + diff --git a/DOC/clamav/README.signature.whitelist b/DOC/clamav/README.signature.whitelist new file mode 100644 index 0000000..b971538 --- /dev/null +++ b/DOC/clamav/README.signature.whitelist @@ -0,0 +1,130 @@ +# ========== +# Whitelist (clamav) signature +# ========== + +# - See also: https://lists.gt.net/clamav/users/73547 + +# ---------- +# Why whithelisting signatures ? +# ---------- + +# - Sometimes, Clamav and third party signatures generate some false positives. +# - It means a non-harmfull file is detected as malware. +# - +# -To correct this problem, you have to whitelist the signature. + + +# ---------- +# How to whitelist a signature ? +# ---------- + +# - You need to create a .ign2 file in the database directory of Clamav +# - (usually /var/lib/clamav). In this file, you just have to write the +# - name of the offending signature. +# - +# - Here is an example : + + +# --- +# - Whitelisting a signature from Clamav Official +# --- + +# - The file '/tmp/file.ext' is detected as a malware +# - +clamscan -i /tmp/file.ext + +# - Output of that commnd: +# - +/tmp/file.ext: CVE_2012_0773-2 FOUND + +----------- SCAN SUMMARY ----------- +Known viruses: 7634245 +Engine version: 0.99.2 +Scanned directories: 0 +Scanned files: 1 +Infected files: 1 +Data scanned: 0.78 MB +Data read: 0.28 MB (ratio 2.80:1) +Time: 0.096 sec (0 m 0 s) + + +# - Create/Update the whitelist file '/var/lib/clamav/my_whitelist.ign2' +# - +echo "CVE_2012_0773-2" >> /var/lib/clamav/my_whitelist.ign2 + +# - If using clamav daemon, retsrat it +# - +# - Restart Clamav +/etc/init.d/clamav-daemon restart + + +# - Test again to verify the whitelist +clamscan -i /tmp/file.ext + +----------- SCAN SUMMARY ----------- +Known viruses: 7634245 +Engine version: 0.99.2 +Scanned directories: 0 +Scanned files: 1 +Infected files: 0 +Data scanned: 0.78 MB +Data read: 0.28 MB (ratio 2.80:1) +Time: 0.096 sec (0 m 0 s) + +# - The file is no longer considered malware. + + +# --- +# Whitelisting a signature from third party signatures (clamav-unofficial-sigs) +# --- + +# - The file '/var/QUARANTINE/virus/virus-2afmbqnVgQAn' is detected as a malware +#- +# - Test it with: +# - +clamscan -i /var/QUARANTINE/virus/virus-2afmbqnVgQAn + +# - Output of that commnd: +# - +/var/QUARANTINE/virus/virus-2afmbqnVgQAn: MBL_27966083.UNOFFICIAL FOUND + +----------- SCAN SUMMARY ----------- +Known viruses: 6906592 +Engine version: 0.100.3 +Scanned directories: 0 +Scanned files: 1 +Infected files: 1 +Data scanned: 0.00 MB +Data read: 0.01 MB (ratio 0.33:1) +Time: 76.506 sec (1 m 16 s) + +# - Create/Update of the whitelist file '/var/lib/clamav/my_whitelist.ign2' +# - without the .UNOFFICIAL suffix +# - +echo "MBL_27966083" >> /var/lib/clamav/my_whitelist.ign2 + +# - If using clamav daemon, retsrat it +# - +# - Restart Clamav +/etc/init.d/clamav-daemon restart + + +# - Test again to verify the whitelist +# - +clamscan -i /var/QUARANTINE/virus/virus-2afmbqnVgQAn + +# - Output is now: +# - + +----------- SCAN SUMMARY ----------- +Known viruses: 6906591 +Engine version: 0.100.3 +Scanned directories: 0 +Scanned files: 1 +Infected files: 0 +Data scanned: 0.02 MB +Data read: 0.01 MB (ratio 2.00:1) +Time: 73.752 sec (1 m 13 s) + +# - The file is no longer considered malware. +