On Feb 8, 2012, at 7:25 AM, Yoshihara Takao wrote: > Hi all, > > Now I use Snort-2.9.2.1 and clamd-0.97.3-3 on the same OS, Scientific Linux > 6.1 (i686). > Since around a month ago, whenever daily clamscan is finished, the same > following False Positive has been detected and the files have been > mandatorily deleted: > > /etc/snort/rules/web-client.rules: CVE_2005_1342 FOUND > /etc/snort/rules/shellcode.rules: Exploit.Alpha_Upper FOUND > /etc/snort/rules/web-activex.rules: CVE_2011_3397-6 FOUND > > I thought this issue was FP and reported it to the site below, but it has > still been detected even if I update the .cvd file and no fix has not seemed > to be provided.
Snort includes rules which look for malware in network traffic. These rules contain patterns which another scanner like ClamAV will correctly associate with malware. This isn't a false positive, it's a legitimate match. > I temporarily exclude "/etc/snort/rules" directory from the target one of > clamscan. What should I do later? You should continue to exclude snort's rules from clamscan / clamdscan. What you're doing is effectively the same thing as installing two different virus scanners on the same box. If you don't make an effort to exclude one scanner's virus database location from being scanned by the other scanner, and vice-versa, then you will end up with them trying to quarantine or delete each other's malware database files. Regards, -- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
