Hi, I happen to have a similar issue and thought I could append to this thread with my questions.
>> Is there a way to delete a signature that you are not interested in? I'd like to create a local whitelist for patterns that create false positives in my environment from attachments in email. Here's an example: Dec 1 10:47:55 mail01 amavis[18312]: (18312-02) Blocked INFECTED (PUA.Script.PDF.EmbeddedJavaScript), [204.XXX.YYY.21] [204.XXX.YYY.21] <[email protected]>, quarantine: virus-06232854a5c3b09c7451be840f81fc58-20111201T104753-18312-02.gz, Message-ID: <01b601ccb040$933b3bf0$b9b1b3d0$@[email protected]>, mail_id: 539J2GR60fLp, Hits: -, size: 1288479, 1411 ms Dec 1 10:47:55 mail01 postfix/smtp[18345]: 081AC160468: to=<[email protected]>, orig_to=<[email protected]> , relay=127.0.0.1[127.0.0.1]:10024, delay=7.3, delays=5.9/0/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=18312-02 - INFECTED: PUA.Script.PDF.EmbeddedJavaScript) I understand I can add PUA.Script.PDF.EmbeddedJavaScript to sigwhitelist.ign2 for it to be whitelisted, correct? However, this will be overwritten, so I'd like to create one of my own. Do I just create a new file in that directory, and signal clamd to re-read the database? Is it possible to whitelist based on the name of a file? This also seems like a very generic signature. To determine the pattern that matched within the attachment, is this the correct way to do that? # sigtool -fPUA.Script.PDF.EmbeddedJavaScript [daily.ndu] PUA.Script.PDF.EmbeddedJavaScript:0:0:255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c) Thanks, Alex _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
