Am 11.11.2013 21:15 schrieb Benny Pedersen: > report them to sanesecuity maillist, not clamav maillist since its > unofficial sigs :)
Benny, that's not the point here. In fact a feature does not work as expected. This must be discussed here. Funny, I just have the same issue here! We get messages with attachments created by our own software. The attachements have the same name have different hashes and fingerprints. But all are zip files and all are found as "Worm.Bagle.H-zippwd-1" by clamav. Reporting them as false postive is not an option because I can't send >10000 samples... So we tried to whitelist the virusname for a fast solution. $ freshclam --version ClamAV 0.98/18100/Tue Nov 12 06:40:40 2013 $ clamscan /tmp/falsepositive /tmp/falsepositive: Worm.Bagle.H-zippwd-1 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 2424441 Engine version: 0.98 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 2.72 MB Data read: 1.56 MB (ratio 1.75:1) Time: 7.733 sec (0 m 7 s) We added a file "local.ign2" containing one line: "Worm.Bagle.H-zippwd-1" clamscan called again and - nothing changed. Still marked as virus... I added a second line: "Eicar-Test-Signature" $ cat ~clamav/local.ign2 Eicar-Test-Signature Worm.Bagle.H-zippwd-1 Now the EICAR file is no longer marked as virus: $ clamscan /tmp/EICAR.COM /tmp/EICAR.COM: OK ... But it looks like clamav does not load/use/recognize all entries: $ clamscan --debug /tmp/falsepositive 2>&1 | grep -e 'local.ign2' -e 'Ignoring signature' LibClamAV debug: /var/lib/clamav/local.ign2 loaded LibClamAV debug: Ignoring signature Eicar-Test-Signature Any hints/ideas? Thanks -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr Jörg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
