On Mon, Dec 26, 2016 at 08:24 PM, Mark Foley wrote: > > For my clamscan cron job, I turned on --detect-pua=yes. While it did detect > some > genuinely infected files, it also turned up a lot of false positives for > PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. > > In searching for a way to block just these specific PUA signatures, I found > several reference on the web to putting these names in > /var/lib/clamav/local.ign2: > > PUA.Win.Trojan.EmbeddedPDF-1 > PUA.Pdf.Trojan.EmbeddedJavaScript-1 > > I found nothing in any of my clamav documentation mentioning this file (I'm > running 0.99.2). However, that local.ign2 file did work. > > Question 1: is the use of this file officially documented anywhere? Likewise > for > another file mentioned, whitelist.ign2?
It’s in the signatures.pdf documentation, para 3.9. You can call it anything you want as long as the file extension is “.ign2”. > Question 2: I've also turned on 'DetectPUA yes' for clamd. Will clamd look at > this local.ign2 file to exclude these signatures? Yes. > Question 3: Given the recent dialog in this list about false positives, could > the Win.Trojan.Toa-XXXX signatures be added to this file for at least > temporary > ignoring? They can (and have been for ClamXav) but given that these are being dropped as we speak, it’s probably not worth the effort. > I tried adding the several distinct ones found on my system and, upon > starting clamscan got the errors: > > LibClamAV Error: cli_loadign: No signature name provided > LibClamAV Error: cli_loadign: Problem parsing database at line 17 > LibClamAV Error: Can't load /var/lib/clamav/local.ign2: Malformed database > LibClamAV Error: cli_loaddbdir(): error loading database > /var/lib/clamav/local.ign2 > ERROR: Malformed database > > Further research showed that the format for entries in local.ign2 is > > Repository.Name.Number > > Just entering "Win.Trojan.Toa-5366523-0" apparently doesn't work. Not sure > what > the correct syntax would be for these Win.Trojan.Toa culprits, if this > mechanism > would even work for these at all. That will work, so you must have a typo of some sort at line 17. -Al- > > Thanks, --Mark
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
