Very curious! It seems to work as expected on my Fedora 32 system. If you run clamscan with the --debug option, you can see it load the ".fp" files (all lots and lots of other stuff too!).
*$ clamscan --versionClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021* *$ cat /var/lib/clamav/xmr-stak-linux.fp 2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz* *$ clamscan -av /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz: OK----------- SCAN SUMMARY -----------Known viruses: 12743774Engine version: 0.103.2Scanned directories: 0Scanned files: 1Infected files: 0Data scanned: 16.49 MBData read: 1.99 MB (ratio 8.28:1)Time: 25.887 sec (0 m 25 s)Start Date: 2021:04:17 20:52:21End Date: 2021:04:17 20:52:47* On Tue, Apr 13, 2021 at 5:29 PM Pavel Řezníček <[email protected]> wrote: > Hello folks, > > I am new to this mailing list. I’ve got a question related to ClamAV’s > .fp files. Since I am a Ubuntu user, I asked my question on > askubuntu.com: > > https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2. > > Got directed to a ClamAV forum so I am here. Copying my original post. > > My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system. > > Trying to make ClamAV ignore several files. These are almost cryptocoin > miners which I do use. Cryptocoin miners get flagged by most antivirus > programs for they can be distributed as malware (using other people’s > computers for the attacker’s profit). At the same time, they can be used > for a tiny profit by the computer’s user himself, knowing what he is > doing. ClamAV also reports the miners as malware and I’d like to teach > it to ignore the files I actually use, knowing what I am doing. > > I also want to ignore the files on a per-file basis. Ignoring a whole > malware type can be dangerous. > > Well, still no success here. > > Read this manual page: http://pig.made-it.com/clamav.html > <http://pig.made-it.com/clamav.html>. > > Then this manual page: > https://www.clamav.net/documents/allow-list-databases > <https://www.clamav.net/documents/allow-list-databases>. > > Then this: https://www.clamav.net/documents/file-hash-signatures > <https://www.clamav.net/documents/file-hash-signatures>. > > In all these documents, they state that all I have to do is: > > * Create a file in the ClamAV database folder (on Ubuntu, it’s > /var/lib/clamav) with the |.fp| extension, > * place the file signatures therein, following the format > |MD5:SIZE:COMMENT|, one per line, > o |MD5| being the MD5 sum of the file, > o |SIZE| being the file size, and > o |COMMENT| being anything, defaulting to the file name. > > However, this > <http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/> blog entry > states that the format has to be |MD5:SIZE:ID_NAME|, where: > > * |ID| is a 6-digit identifier (can be the current date in the > |YYMMDD| format) and > * |NAME| is the file name *without the extension.* > > Tried to follow even the second, restricted ruleset but to no avail. > Clamscan still marks the file as a virus. > > I have got this file: > > |clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav > clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp | > > with this content: > > |2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar > > | > > Then I run |clamscan|: > > |clamav@precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a > kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz > /home/pavel/Installace/Těžba a > kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz: > Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY > ----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned > directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB > Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) | > > So I still get a detection. What am I doing wrong? > > Cheers, > Pavel Řezníček > > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
