On 12/01/2011 09:55 PM, Alex wrote:
> Hi,
>
> I happen to have a similar issue and thought I could append to this
> thread with my questions.
>
>>> Is there a way to delete a signature that you are not interested in?
>
> I'd like to create a local whitelist for patterns that create false
> positives in my environment from attachments in email. Here's an
> example:
>
> Dec 1 10:47:55 mail01 amavis[18312]: (18312-02) Blocked INFECTED
> (PUA.Script.PDF.EmbeddedJavaScript), [204.XXX.YYY.21]
> [204.XXX.YYY.21] <[email protected]>, quarantine:
> virus-06232854a5c3b09c7451be840f81fc58-20111201T104753-18312-02.gz,
> Message-ID: <01b601ccb040$933b3bf0$b9b1b3d0$@[email protected]>,
> mail_id: 539J2GR60fLp, Hits: -, size: 1288479, 1411 ms
>
> Dec 1 10:47:55 mail01 postfix/smtp[18345]: 081AC160468:
> to=<[email protected]>, orig_to=<[email protected]>
> , relay=127.0.0.1[127.0.0.1]:10024, delay=7.3, delays=5.9/0/0.01/1.4,
> dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded,
> id=18312-02 - INFECTED: PUA.Script.PDF.EmbeddedJavaScript)
>
> I understand I can add PUA.Script.PDF.EmbeddedJavaScript to
> sigwhitelist.ign2 for it to be whitelisted, correct?
>
> However, this will be overwritten, so I'd like to create one of my
> own. Do I just create a new file in that directory, and signal clamd
> to re-read the database?
Yes, you can use any filename as long as its extension is .ign2.
>
> Is it possible to whitelist based on the name of a file?
No.
>
> This also seems like a very generic signature. To determine the
> pattern that matched within the attachment, is this the correct way to
> do that?
>
> # sigtool -fPUA.Script.PDF.EmbeddedJavaScript
> [daily.ndu]
> PUA.Script.PDF.EmbeddedJavaScript:0:0:255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c)
Yes.
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
