* Lyle Giese <l...@lcrcomputer.net>: > The format of local.ign is not very inituitive, IMHO.
It's local.ign2 according to the docs. "Creating signatures for ClamAV" http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a specific signature from the database you just add its name into a local file called --> local.ign2 <-- stored inside the database directory. You can additionally follow the signature name with the MD5 of the entire database entry for this signature, eg: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c In such a case, the signature will no longer be whitelisted when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). > INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com > > The first entry is the name of the file the definition is in(minus > the file extension). The second is the line number that the > definition is on. And the third is the name of the definition. > These fields are separated by ':' as you can see. Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.de Campus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
