On 2009-03-19 23:38, Bill Landry wrote: > Török Edwin wrote: > >> On 2009-03-19 22:54, Bill Landry wrote: >> >>> Along the same vein as my last question, again, clamd.log reports: >>> >>> Database correctly reloaded (1159852 signatures) >>> >>> However, "sigtool --list-sigs" only lists 696491 signatures. It looks >>> to me like it is listing a combination of Official and Unofficial >>> signatures, but obviously not listing ALL signatures. Which signatures >>> does sigtool not list in its output? >>> >>> >> The signatures from safebrowsing.c[vl]d don't have individual names, >> they are called either >> Safebrowsing.Suspected-malware_safebrowsing.clamav.net or >> Safebrowsing.Suspected-phishing_safebrowsing.clamav.net. >> >> $ sigtool -i /usr/local/share/clamav/safebrowsing.cld | grep Signatures >> Signatures: 463108 >> > > So then there is no way to bypass a false positive (local.ign) from the > SafeBrowsing signatures?
They can be whitelisted by using .wdb entries [1], which allows you to use a POSIX regular expressions to whitelist any URL. (the original URL, not the hash). Since the entries in safebrowsing.cld change often whitelisting based on position in the .cld wouldn't work. If you need some local.ign-like whitelisting of specific entries, I think that could be implemented too. The clamscan --debug output reports both the URL and the hash that caused the detection, and adding the hash to a local.wdb file could whitelist that particular hash. Perhaps we could distribute a script in contrib/ that would generate a whitelist entry given a sample. Would that work for you? P.S.: If you report a false positive to on the clamav.net/sendvirus page, it can be solved by simply dropping the corresponding entry with the next .cld update. [1] http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2Fdocs%2Fphishsigs_howto.pdf&rev=0&sc=0 Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
