Jason Bertoch wrote: >> -----Original Message----- >> From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- >> boun...@lists.clamav.net] On Behalf Of Bill Landry >> Sent: Wednesday, May 20, 2009 8:27 AM >> To: sanesecur...@freelists.org; clamav-users@lists.clamav.net >> Subject: Re: [Clamav-users] Deletion of local.ign >> >> >> The local.ign file contains signatures that the user would like ClamAV >> to bypass when scanning a file due to issues like false-positives. >> This is a very short-lived option as the signatures as contained in >> local.ign require several fields: >> >> file_name : line_number : signature_name >> >> For example, a local.ign entry might look like the following: >> >> winnow_spam_complete.ndb:24:winnow.spam.ts.xmailer.hc.8 >> >> The reason these are short-lived entries is that the actual line >> placement of an individual signature within a third-party signature >> database can change with each update of the database, thereby >> nullifying the local.ign whitelist entry, as the original signature >> line placement within the signature database may have changed. >> >> The local.ign entries are really meant to be a very short-term option >> to bypass a signature until the signature writer can either modify the >> signature or remove it from the particular signature database. >> >> Currently, if the clamav-unofficial-sigs script finds that a local.ign >> file exists, and its last timestamp (last change/modification time) is >> older than 24 hours, it deletes the file as the entries are very likely >> no longer valid. >> >> With that said, if clamav-unofficial-sigs script users would like this >> feature in the script to be timeframe configurable, or even to have the >> ability to disable it (or both), let me know and I will make this >> available with the next update release of the script. >> > > The logic makes sense, but it seems that management of that file should be > left to the admin. It may take an unknown amount of time for the bad > signature to be removed. A nice feature to the script might be to add > checks for each entry in the file to see if any are still valid before > deleting.
I actually put this logic in my script but then removed it once I watched the ClamAV webinar on signature making. In order for a *.ign entry to be valid, it MUST match the filename, signature name, AND the signature line placement in the database file. So, the problem with checking to see if the .ign entry still resides in the database file or not has a flaw. As a signature writer, if I have a signature that, for example is called: Spam.Email.123:25:26f757073 and someone reports this as a false positive and I either modify the signature (meaning it's still there and the script finds it thus leaves the whitelist entry in the .ign file - now unnecessarily whitelist), or I replace it with a new entry of the same name (and again the script finds it and thus leaves the whitelist entry in the .ign file), we run into all kinds of potential hassles. I wish ClamAV had instead opted to whitelist based on the actual hexadecimal signature instead of the signature file:line:name, as that would make keeping the .ign files up-to-date for a script a much easier process. ClamAV, please consider this a feature request... :-) Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
