> On Wed, 20 May 2009 06:45:43 -0700 > Bill Landry <b...@inetmsg.com> wrote: > >> I wish ClamAV had instead opted to whitelist based on the actual >> hexadecimal signature instead of the signature file:line:name, as that >> would make keeping the .ign files up-to-date for a script a much easier >> process. >> >> ClamAV, please consider this a feature request... :-) > > Hi Bill, > > the .ign database was designed with the ClamAV db maintainers > and not users in mind. It allows us to disable specific signatures > in main.cvd until a new version is published. It requires this precise > information about target signatures for two reasons: safety > and speed. By requiring the line numbers and signature names > the whitelisting mechanism is more resistant to errors (which > could have really bad consequences) but also doesn't slow down > loading of the databases (because we use the line numbers > as the main filter). > > I don't know what your script has to do with the .ign databases > but believe it would be much more effective and easier to implement > any workarounds in the script instead of the clamav engine.
My script allow users to easily add bypass entries into local.ign based on the third-party signature name they want to whitelist/bypass (this does not apply to any 'official" clamav signatures). However, in its current implementation, there is no easy way to manage these local.ign entries and determine with any certainty whether a whitelisted signature has been modified, removed, or replaced. The complete hex signature would allow for this to be done. I even tried adding local.ign entries like: junk.ndb:92:Sanesecurity.Junk.92 #2e706870223e4 With the full hex signature listed after the # sign. And even thought clamav does not complain about this, it will not use a local.ign file containing a bypass entry in this format. It would also be nice if ClamAV would recognize any *.ign file and use it, but it seems it currently will only support local.ign and daily.ign. Any change that would allow admins to easily manage bypass entries for third-party database signatures would be greatly appreciated. Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
