On 02/07/12 16:07, Ralf Hildebrandt wrote:
* Lyle Giese<l...@lcrcomputer.net>:
The format of local.ign is not very inituitive, IMHO.
It's local.ign2 according to the docs.
"Creating signatures for ClamAV"
http://www.clamav.net/doc/latest/signatures.pdf
3.8 Whitelist databases
To whitelist a specific signature from the database you just add its name
into a local file called --> local.ign2<-- stored inside the database
directory.
You can additionally follow the signature name with the MD5 of the entire
database entry for this signature, eg:
Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c
In such a case, the signature will no longer be whitelisted when its
entry in the database gets modified (eg. the signature gets updated to
avoid false alerts).
INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com
The first entry is the name of the file the definition is in(minus
the file extension). The second is the line number that the
definition is on. And the third is the name of the definition.
These fields are separated by ':' as you can see.
Have you tried that for a bytecode signature?
sigtool --find-sigs=BC.Exploit.CVE_2011_3412
doesn't emit a line number. Fields are not seperated with : but with ;
I have never used sigtool. grep/kate/nano or any good editor will let
you search and tell you the line number that you are looking at.
I guess I never used a local.ign2 only local.ign for bypassing 'bad'
definitions and I have tested the local.ign files I created to make sure
they do exactly what is needed for my mail system.
Lyle Giese
LCR Computer Services, Inc.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
