Humm, I’ve restarted my laptop and now the .fp file gets read and the
detection gets ignored.
How come I need to restart the machine? Is there any service I could
restart instead?
Pavel
Dne 17. 04. 21 v 20:55 Richard Graham via clamav-users napsal(a):
Very curious! It seems to work as expected on my Fedora 32 system.
If you run clamscan with the --debug option, you can see it load the
".fp" files (all lots and lots of other stuff too!).
*$ clamscan --version
ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
*
*
*
*$ cat /var/lib/clamav/xmr-stak-linux.fp
2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz
*
*
*
*$ clamscan -av /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
Scanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
Scanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz: OK
----------- SCAN SUMMARY -----------
Known viruses: 12743774
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 16.49 MB
Data read: 1.99 MB (ratio 8.28:1)
Time: 25.887 sec (0 m 25 s)
Start Date: 2021:04:17 20:52:21
End Date: 2021:04:17 20:52:47*
On Tue, Apr 13, 2021 at 5:29 PM Pavel Řezníček
<[email protected] <mailto:[email protected]>> wrote:
Hello folks,
I am new to this mailing list. I’ve got a question related to
ClamAV’s
.fp files. Since I am a Ubuntu user, I asked my question on
askubuntu.com <http://askubuntu.com>:
https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2
<https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2>.
Got directed to a ClamAV forum so I am here. Copying my original post.
My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
Trying to make ClamAV ignore several files. These are almost
cryptocoin
miners which I do use. Cryptocoin miners get flagged by most
antivirus
programs for they can be distributed as malware (using other people’s
computers for the attacker’s profit). At the same time, they can
be used
for a tiny profit by the computer’s user himself, knowing what he is
doing. ClamAV also reports the miners as malware and I’d like to
teach
it to ignore the files I actually use, knowing what I am doing.
I also want to ignore the files on a per-file basis. Ignoring a whole
malware type can be dangerous.
Well, still no success here.
Read this manual page: http://pig.made-it.com/clamav.html
<http://pig.made-it.com/clamav.html>
<http://pig.made-it.com/clamav.html
<http://pig.made-it.com/clamav.html>>.
Then this manual page:
https://www.clamav.net/documents/allow-list-databases
<https://www.clamav.net/documents/allow-list-databases>
<https://www.clamav.net/documents/allow-list-databases
<https://www.clamav.net/documents/allow-list-databases>>.
Then this: https://www.clamav.net/documents/file-hash-signatures
<https://www.clamav.net/documents/file-hash-signatures>
<https://www.clamav.net/documents/file-hash-signatures
<https://www.clamav.net/documents/file-hash-signatures>>.
In all these documents, they state that all I have to do is:
* Create a file in the ClamAV database folder (on Ubuntu, it’s
/var/lib/clamav) with the |.fp| extension,
* place the file signatures therein, following the format
|MD5:SIZE:COMMENT|, one per line,
o |MD5| being the MD5 sum of the file,
o |SIZE| being the file size, and
o |COMMENT| being anything, defaulting to the file name.
However, this
<http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/
<http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/>> blog
entry
states that the format has to be |MD5:SIZE:ID_NAME|, where:
* |ID| is a 6-digit identifier (can be the current date in the
|YYMMDD| format) and
* |NAME| is the file name *without the extension.*
Tried to follow even the second, restricted ruleset but to no avail.
Clamscan still marks the file as a virus.
I have got this file:
|clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1
clamav
clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
with this content:
|2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
|
Then I run |clamscan|:
|clamav@precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a
kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
/home/pavel/Installace/Těžba a
kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY
----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned
directories: 0 Scanned files: 1 Infected files: 1 Data scanned:
7.19 MB
Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
So I still get a detection. What am I doing wrong?
Cheers,
Pavel Řezníček
_______________________________________________
clamav-users mailing list
[email protected] <mailto:[email protected]>
https://lists.clamav.net/mailman/listinfo/clamav-users
<https://lists.clamav.net/mailman/listinfo/clamav-users>
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
<https://github.com/vrtadmin/clamav-faq>
http://www.clamav.net/contact.html#ml
<http://www.clamav.net/contact.html#ml>
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
