Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
Sent from my iPad On Jan 3, 2020, at 00:32, i...@schroeffu.ch wrote: > >>> And report the false positive to the ClamAV team? >> >> All false positives from SecuriteInfo.com signatures should be sent to >> webmas...@securiteinfo.com. >> Thank you. > > As this false positive was from unofficial signatures i am going to report it > to > webmas...@securiteinfo.com. It’s unofficial because it’s not from ClamAV, but it is from SecuriteInfo so it’s very much appropriate to report the them as an FP. -Al- ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
>> And report the false positive to the ClamAV team? > > All false positives from SecuriteInfo.com signatures should be sent to > webmas...@securiteinfo.com. > Thank you. As this false positive was from unofficial signatures i am going to report it to webmas...@securiteinfo.com. >> All good :-) Going to remove javascript.ndb too. Sorry again. > > Rather than deleting entire signature databases because of one false > positive, why don't you either: > > 1. Whitelist the file (if it's static) > or > 2. Whitelist the signature(s) > > Both are a quick google search and very easy to do... Thank you, but for the moment my setup is using ClamAV only for virus/malware (and quarantine+report them to admins), the mentiones falsepositive signature was against spam. For the moment I am strictly using spamassassin for antispam and clamav for antivirus. This will change later this year when changing to rspamd for antispam. but yes, for sure you are right about whitelisting, again thanks for the hints ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
Hello, Le 03/01/2020 à 00:06, G.W. Haywood via clamav-users a écrit : Hi there, On Thu, 2 Jan 2020, J.R. via clamav-users wrote: All good :-) Going to remove javascript.ndb too. Sorry again. Rather than deleting entire signature databases because of one false positive, why don't you either: 1. Whitelist the file (if it's static) or 2. Whitelist the signature(s) ... And report the false positive to the ClamAV team? All false positives from SecuriteInfo.com signatures should be sent to webmas...@securiteinfo.com. Thank you. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
Hi there, On Thu, 2 Jan 2020, J.R. via clamav-users wrote: All good :-) Going to remove javascript.ndb too. Sorry again. Rather than deleting entire signature databases because of one false positive, why don't you either: 1. Whitelist the file (if it's static) or 2. Whitelist the signature(s) ... And report the false positive to the ClamAV team? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
> All good :-) Going to remove javascript.ndb too. Sorry again. Rather than deleting entire signature databases because of one false positive, why don't you either: 1. Whitelist the file (if it's static) or 2. Whitelist the signature(s) Both are a quick google search and very easy to do... ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
Thx G.W. and J.R for your answers. Yes i deleted the line in /etc/clamav/freshclam.conf ~2 weeks ago already, before it was: DatabaseMirror db.local.clamav.net DatabaseMirror database.clamav.net DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfo.hdb DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfo.ign2 DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/javascript.ndb #DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(personal url path here, removed)/securiteinfohtml.hdb ##deleted this line completely DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfoascii.hdb DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfoold.hdb DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfopdf.hdb > Perhaps freshclam simply replaced the deleted database, did you check? Yes, the file is not re-created in /var/lib/clamav/securiteinfohtml.hdb But even with server reboot the signatures from that file are still hitting, for example: Wed, 01 Jan 2020 21:45:17 CET Clamd: msg-137649-12.html was infected: SecuriteInfo.com.HTML-8188.UNOFFICIAL Update: Ohh, just while writhing this mail i searched for "HTML-8188" in any file at /var/lib/clamav/* and now I see the javascript.ndb is containing this Signature too. My fault! My guess Signatures named with HTML-* are from securiteinfohtml.hdb ... Sorry! root@XXX01:/var/lib/clamav# grep -Ri HTML-8188 * javascript.ndb:SecuriteInfo.com.HTML-8188:3:*:2f2f636c636b2e7275 javascript.ndb:SecuriteInfo.com.HTML-8188:3:*:2f2f772e6d617a696e67657267696a6f6e2e636f6d All good :-) Going to remove javascript.ndb too. Sorry again. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
Hi there, On Thu, 2 Jan 2020, i...@schroeffu.ch wrote: ... custom signatures file securiteinfohtml.hdb in ClamAV with false positives, so I deleted the file /var/lib/clamav/securiteinfohtml.hdb and restarted clamav (freshclam, clamd). But ClamAV seems still using this signature DB, it is still detecting viruses from this deleted database. So, somewhere this database is still not purged or saved in a place i don't know. Perhaps freshclam simply replaced the deleted database, did you check? How do I purge a CustomDatabaseURL correctly? If my guess is correct, in addition to removing the database itself you need to tell freshclam not to download the securiteinfohtml.hdb database. Either remove or comment the DatabaseCustomURL line (not CustomDatabaseURL) in your freshclam.conf file. ClamAV 0.101.4 fromdefault Server Repo A lot has changed since that version of ClamAV, I recommend upgrading. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
> How do I purge a CustomDatabaseURL correctly? Did you remove that DB from your FreshClam config and / or clamav-unofficial-signatures script so it won't re-download it? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
Hi ClamAV Geeks, i have had the custom signatures file securiteinfohtml.hdb in ClamAV with false positives, so I deleted the file /var/lib/clamav/securiteinfohtml.hdb and restarted clamav (freshclam, clamd). But ClamAV seems still using this signature DB, it is still detecting viruses from this deleted database. So, somewhere this database is still not purged or saved in a place i don't know. How do I purge a CustomDatabaseURL correctly? ClamAV 0.101.4 fromdefault Server Repo OS: Ubuntu 18.04 Server Thanks for any help in advance Schroeffu ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
