Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

Tue, 07 Feb 2012 13:54:28 -0800 

On 02/07/12 15:05, Bill Maidment wrote:

-----Original message-----
From:   Ralf Hildebrandt<ralf.hildebra...@charite.de>
Sent:   Wed 08-02-2012 00:16
Subject:        [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
To:     clamav-users@lists.clamav.net;

Hi!

I'm trying to disable this signature, since it's giving my FPs for
some XLS files (yes, I already submitted it as FP today):

mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412
[0001114551.cbc BYTECODE]
BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(0&1);0:d0cf11e0
a1b11ae1;*:1c000404

mail2:/var/lib/clamav# cat local.ign2
BC.Exploit.CVE_2011_3412.{CVE_2011_3412}
BC.Exploit.CVE_2011_3412
CVE_2011_3412

(I tried 3 different ways of disabling the signature)

I restarted clamd, but still the mails are stopped as infected:

Tue Feb  7 13:33:09 2012 ->
/var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004:
BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND
Tue Feb  7 13:33:09 2012 ->
/var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002:
BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND

What am I doing wrong here? Running clamv 0.97.3

It's the same story here. We've had to switch off all bytecode rules in the 
conf file. Not ideal.

Cheers
Bill Maidment
IT Consultant to Elgas Ltd
Phone: 02 4294 3649
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

The format of local.ign is not very inituitive, IMHO.

INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com
The first entry is the name of the file the definition is in(minus the file extension). The second is the line number that the definition is on. And the third is the name of the definition. These fields are separated by ':' as you can see.
The format apparently was chosen so that if you forgot to delete the file, no harm will be done when the definition disappears. But one of the side effects is that a simple update that changes the line number for that definition will also render the local.ign useless.
It does work and I have used it, but every time I need it, it takes me more than one try to get it right. Especially since I only use it once every 3 or 4 months at best and it's case sensitive. 

Lyle Giese
LCR Computer Services, Inc.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to