# ========== # Whitelist (clamav) signature # ========== # - See also: https://lists.gt.net/clamav/users/73547 # ---------- # Why whithelisting signatures ? # ---------- # - Sometimes, Clamav and third party signatures generate some false positives. # - It means a non-harmfull file is detected as malware. # - # -To correct this problem, you have to whitelist the signature. # ---------- # How to whitelist a signature ? # ---------- # - You need to create a .ign2 file in the database directory of Clamav # - (usually /var/lib/clamav). In this file, you just have to write the # - name of the offending signature. # - # - Here is an example : # --- # - Whitelisting a signature from Clamav Official # --- # - The file '/tmp/file.ext' is detected as a malware # - clamscan -i /tmp/file.ext # - Output of that commnd: # - /tmp/file.ext: CVE_2012_0773-2 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 7634245 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.78 MB Data read: 0.28 MB (ratio 2.80:1) Time: 0.096 sec (0 m 0 s) # - Create/Update the whitelist file '/var/lib/clamav/my_whitelist.ign2' # - echo "CVE_2012_0773-2" >> /var/lib/clamav/my_whitelist.ign2 # - If using clamav daemon, retsrat it # - # - Restart Clamav /etc/init.d/clamav-daemon restart # - Test again to verify the whitelist clamscan -i /tmp/file.ext ----------- SCAN SUMMARY ----------- Known viruses: 7634245 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.78 MB Data read: 0.28 MB (ratio 2.80:1) Time: 0.096 sec (0 m 0 s) # - The file is no longer considered malware. # --- # Whitelisting a signature from third party signatures (clamav-unofficial-sigs) # --- # - The file '/var/QUARANTINE/virus/virus-2afmbqnVgQAn' is detected as a malware #- # - Test it with: # - clamscan -i /var/QUARANTINE/virus/virus-2afmbqnVgQAn # - Output of that commnd: # - /var/QUARANTINE/virus/virus-2afmbqnVgQAn: MBL_27966083.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6906592 Engine version: 0.100.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.01 MB (ratio 0.33:1) Time: 76.506 sec (1 m 16 s) # - Create/Update of the whitelist file '/var/lib/clamav/my_whitelist.ign2' # - without the .UNOFFICIAL suffix # - echo "MBL_27966083" >> /var/lib/clamav/my_whitelist.ign2 # - If file was created: # - chown clamav:clamav /var/lib/clamav/my_whitelist.ign2 # - If using clamav daemon, retsrat it # - # - Restart Clamav /etc/init.d/clamav-daemon restart # - Test again to verify the whitelist # - clamscan -i /var/QUARANTINE/virus/virus-2afmbqnVgQAn # - Output is now: # - ----------- SCAN SUMMARY ----------- Known viruses: 6906591 Engine version: 0.100.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.02 MB Data read: 0.01 MB (ratio 2.00:1) Time: 73.752 sec (1 m 13 s) # - The file is no longer considered malware.