131 lines
2.9 KiB
Plaintext
131 lines
2.9 KiB
Plaintext
# ==========
|
|
# Whitelist (clamav) signature
|
|
# ==========
|
|
|
|
# - See also: https://lists.gt.net/clamav/users/73547
|
|
|
|
# ----------
|
|
# Why whithelisting signatures ?
|
|
# ----------
|
|
|
|
# - Sometimes, Clamav and third party signatures generate some false positives.
|
|
# - It means a non-harmfull file is detected as malware.
|
|
# -
|
|
# -To correct this problem, you have to whitelist the signature.
|
|
|
|
|
|
# ----------
|
|
# How to whitelist a signature ?
|
|
# ----------
|
|
|
|
# - You need to create a .ign2 file in the database directory of Clamav
|
|
# - (usually /var/lib/clamav). In this file, you just have to write the
|
|
# - name of the offending signature.
|
|
# -
|
|
# - Here is an example :
|
|
|
|
|
|
# ---
|
|
# - Whitelisting a signature from Clamav Official
|
|
# ---
|
|
|
|
# - The file '/tmp/file.ext' is detected as a malware
|
|
# -
|
|
clamscan -i /tmp/file.ext
|
|
|
|
# - Output of that commnd:
|
|
# -
|
|
/tmp/file.ext: CVE_2012_0773-2 FOUND
|
|
|
|
----------- SCAN SUMMARY -----------
|
|
Known viruses: 7634245
|
|
Engine version: 0.99.2
|
|
Scanned directories: 0
|
|
Scanned files: 1
|
|
Infected files: 1
|
|
Data scanned: 0.78 MB
|
|
Data read: 0.28 MB (ratio 2.80:1)
|
|
Time: 0.096 sec (0 m 0 s)
|
|
|
|
|
|
# - Create/Update the whitelist file '/var/lib/clamav/my_whitelist.ign2'
|
|
# -
|
|
echo "CVE_2012_0773-2" >> /var/lib/clamav/my_whitelist.ign2
|
|
|
|
# - If using clamav daemon, retsrat it
|
|
# -
|
|
# - Restart Clamav
|
|
/etc/init.d/clamav-daemon restart
|
|
|
|
|
|
# - Test again to verify the whitelist
|
|
clamscan -i /tmp/file.ext
|
|
|
|
----------- SCAN SUMMARY -----------
|
|
Known viruses: 7634245
|
|
Engine version: 0.99.2
|
|
Scanned directories: 0
|
|
Scanned files: 1
|
|
Infected files: 0
|
|
Data scanned: 0.78 MB
|
|
Data read: 0.28 MB (ratio 2.80:1)
|
|
Time: 0.096 sec (0 m 0 s)
|
|
|
|
# - The file is no longer considered malware.
|
|
|
|
|
|
# ---
|
|
# Whitelisting a signature from third party signatures (clamav-unofficial-sigs)
|
|
# ---
|
|
|
|
# - The file '/var/QUARANTINE/virus/virus-2afmbqnVgQAn' is detected as a malware
|
|
#-
|
|
# - Test it with:
|
|
# -
|
|
clamscan -i /var/QUARANTINE/virus/virus-2afmbqnVgQAn
|
|
|
|
# - Output of that commnd:
|
|
# -
|
|
/var/QUARANTINE/virus/virus-2afmbqnVgQAn: MBL_27966083.UNOFFICIAL FOUND
|
|
|
|
----------- SCAN SUMMARY -----------
|
|
Known viruses: 6906592
|
|
Engine version: 0.100.3
|
|
Scanned directories: 0
|
|
Scanned files: 1
|
|
Infected files: 1
|
|
Data scanned: 0.00 MB
|
|
Data read: 0.01 MB (ratio 0.33:1)
|
|
Time: 76.506 sec (1 m 16 s)
|
|
|
|
# - Create/Update of the whitelist file '/var/lib/clamav/my_whitelist.ign2'
|
|
# - without the .UNOFFICIAL suffix
|
|
# -
|
|
echo "MBL_27966083" >> /var/lib/clamav/my_whitelist.ign2
|
|
|
|
# - If using clamav daemon, retsrat it
|
|
# -
|
|
# - Restart Clamav
|
|
/etc/init.d/clamav-daemon restart
|
|
|
|
|
|
# - Test again to verify the whitelist
|
|
# -
|
|
clamscan -i /var/QUARANTINE/virus/virus-2afmbqnVgQAn
|
|
|
|
# - Output is now:
|
|
# -
|
|
|
|
----------- SCAN SUMMARY -----------
|
|
Known viruses: 6906591
|
|
Engine version: 0.100.3
|
|
Scanned directories: 0
|
|
Scanned files: 1
|
|
Infected files: 0
|
|
Data scanned: 0.02 MB
|
|
Data read: 0.01 MB (ratio 2.00:1)
|
|
Time: 73.752 sec (1 m 13 s)
|
|
|
|
# - The file is no longer considered malware.
|
|
|