Re: [Clamav-users] False Positive W97M.Static
Hmm... I can't get it to work either :\ Well, doesn't work on Sanesecurity sigs now either: created a fake sample email and did a quick test local.ign: phish.ndb:9492:Sanesecurity.Phishing.Bank.9492 c:\tmp\test2.eml: Sanesecurity.Phishing.Bank.9492.UNOFFICIAL FOUND grep Sanesecurity.Phishing.Bank.9492 data\phish.ndb -n 9492:Sanesecurity.Phishing.Bank.9492:4:*: So, line number is ok, etc. This *was* working ( 2008-10-06) as I renamed all my sigs, testing the .ign file and made the announcement... so, perhaps a remote disable or a recent update? Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
On Thu, 30 Oct 2008 14:40:47 - (GMT) Steve Basford [EMAIL PROTECTED] wrote: This *was* working ( 2008-10-06) as I renamed all my sigs, testing the .ign file and made the announcement... so, perhaps a remote disable or a recent update? The local whitelisting feature is currently not functional, the problem will be fixed in 0.94.1 which is scheduled for November 3rd. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Oct 30 16:32:36 CET 2008 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
On Thu, 30 Oct 2008 14:40:47 - (GMT) The local whitelisting feature is currently not functional, the problem will be fixed in 0.94.1 which is scheduled for November 3rd. Thanks for the confirmation Tomasz. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
David Shrimpton wrote: I'm getting a run of what appear to be false positives on W97M.Static in word docs, since this signature was updated on 18/10/2008. AOLMe too./AOL Is there a way of disabling it ? I would like to know as well. jon -- Jon Milliren Systems Administrator University of Pittsburgh Office of Institutional Advancement ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
Jon Milliren wrote: David Shrimpton wrote: I'm getting a run of what appear to be false positives on W97M.Static in word docs, since this signature was updated on 18/10/2008. AOLMe too./AOL Is there a way of disabling it ? I would like to know as well. jon Submit false positives to the clamav team for analysis. http://www.clamav.net/sendvirus/ It appears this has already been fixed - I can't find a signature named W97M.Static in the current clam database. For future reference, whitelisting a specific file or disabling a specific signature is described in signatures.pdf section 2.5: http://www.clamav.net/doc/latest/signatures.pdf -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
Hi there, On Wed, 29 Oct 2008 David Shrimpton wrote: Surely this signature is incorrect . Is there a way of disabling it ? See section 2.5 of http://www.clamav.net/doc/latest/signatures.pdf -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
On Wed, 29 Oct 2008, Noel Jones wrote: Submit false positives to the clamav team for analysis. http://www.clamav.net/sendvirus/ Thanks, Was done earlier. It appears this has already been fixed - I can't find a signature named W97M.Static in the current clam database. W97M.Static was removed from database at 200810292051 according to my logs. For future reference, whitelisting a specific file or disabling a specific signature is described in signatures.pdf section 2.5: http://www.clamav.net/doc/latest/signatures.pdf This suggests creating a local.ign file eg daily.ndb:319:W97M.Static where 319 is line number in daily.ndb of W97M.Static signature. I tried this earlier but it did not work altough clamscan appear to indicate it was loading the file. There is a daily.ign in the daily.cld and I was wondering if I need to pack local.ign into daily.cld somehow. David ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
David Shrimpton wrote: This suggests creating a local.ign file eg daily.ndb:319:W97M.Static where 319 is line number in daily.ndb of W97M.Static signature. Yes, assuming the unwanted signature is in daily.ndb I tried this earlier but it did not work altough clamscan appear to indicate it was loading the file. Sounds as if you did it correctly, I have no insight into why it didn't work for you. Only thing I would add is the local.ign file should have the same owner, group and permissions as the other clam signature files. There is a daily.ign in the daily.cld and I was wondering if I need to pack local.ign into daily.cld somehow. No, the .cld format is signed and unmodifiable by end-users. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
On Wed, 29 Oct 2008, Noel Jones wrote: David Shrimpton wrote: This suggests creating a local.ign file eg daily.ndb:319:W97M.Static clamscan appear to indicate it was loading the file. Sounds as if you did it correctly, I have no insight into why it didn't work for you. Only thing I would add is the local.ign file should have the same owner, group and permissions as the other clam signature files. I tried testing with another signature now that W97M.Static is gone . eg main.ndb:2541:W97M.Marker Doesn't work even if local.ign has same permissions and ownership. clamscan appears to load the file still: LibClamAV debug: Loading databases from /opt/mailhub9/clamav/share/clamav LibClamAV debug: /opt/mailhub9/clamav/share/clamav/local.ign loaded LibClamAV debug: in cli_cvdload() David ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
David Shrimpton wrote: On Wed, 29 Oct 2008, Noel Jones wrote: David Shrimpton wrote: This suggests creating a local.ign file eg daily.ndb:319:W97M.Static clamscan appear to indicate it was loading the file. Sounds as if you did it correctly, I have no insight into why it didn't work for you. Only thing I would add is the local.ign file should have the same owner, group and permissions as the other clam signature files. I tried testing with another signature now that W97M.Static is gone . eg main.ndb:2541:W97M.Marker Doesn't work even if local.ign has same permissions and ownership. clamscan appears to load the file still: LibClamAV debug: Loading databases from /opt/mailhub9/clamav/share/clamav LibClamAV debug: /opt/mailhub9/clamav/share/clamav/local.ign loaded LibClamAV debug: in cli_cvdload() David Hmm... I can't get it to work either :\ -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml