Török Edwin wrote: > On 2009-03-19 23:38, Bill Landry wrote: >> Török Edwin wrote: >> >>> On 2009-03-19 22:54, Bill Landry wrote: >>> >>>> Along the same vein as my last question, again, clamd.log reports: >>>> >>>> Database correctly reloaded (1159852 signatures) >>>> >>>> However, "sigtool --list-sigs" only lists 696491 signatures. It looks >>>> to me like it is listing a combination of Official and Unofficial >>>> signatures, but obviously not listing ALL signatures. Which signatures >>>> does sigtool not list in its output? >>>> >>>> >>> The signatures from safebrowsing.c[vl]d don't have individual names, >>> they are called either >>> Safebrowsing.Suspected-malware_safebrowsing.clamav.net or >>> Safebrowsing.Suspected-phishing_safebrowsing.clamav.net. >>> >>> $ sigtool -i /usr/local/share/clamav/safebrowsing.cld | grep Signatures >>> Signatures: 463108 >>> >> So then there is no way to bypass a false positive (local.ign) from the >> SafeBrowsing signatures? > > They can be whitelisted by using .wdb entries [1], which allows you to > use a POSIX regular expressions to whitelist any URL. > (the original URL, not the hash). > > Since the entries in safebrowsing.cld change often whitelisting based on > position in the .cld wouldn't work. > If you need some local.ign-like whitelisting of specific entries, I > think that could be implemented too.
That would be great, please do that! > The clamscan --debug output reports both the URL and the hash that > caused the detection, and adding the hash to a local.wdb file could > whitelist that particular hash. > Perhaps we could distribute a script in contrib/ that would generate a > whitelist entry given a sample. Would that work for you? A script would be nice, as whitelisting a hash would be much preferred to trying to write a regex that would be specific enough to only whitelist a single URL, especially when you have no way of determining what other URLs are included within the SafeBrowsing signatures. > P.S.: > If you report a false positive to on the clamav.net/sendvirus page, it > can be solved by simply dropping the corresponding entry with the next > .cld update. As experience has shown, that can take awhile sometimes. But a script or some other mechanism of whitelisting SafeBrowsing signatures would be a very good thing. Thanks, Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
