Tuesday, November 22, 2016

Whitelisting signatures for ClamAV

ClamAV friend and community signature contributor Arnaud Jacques from SecuriteInfo.com wrote a quick article about how to whitelist a signature in ClamAV that may be giving you problems.

Please take a look at this article on his website, for some quick instruction on how to prevent a potential disaster in your environment.

2 comments :

  1. Hi,

    I have false positive with : BC.Win.Exploit.CVE_2017_11241-6335400-2

    [root@mauka quarantine]# clamscan -i virus-paB3ruU128Q6
    virus-paB3ruU128Q6: BC.Win.Exploit.CVE_2017_11241-6335400-2 FOUND

    ----------- SCAN SUMMARY -----------
    Known viruses: 6303524
    Engine version: 0.99.2
    Scanned directories: 0
    Scanned files: 1
    Infected files: 1
    Data scanned: 8.39 MB
    Data read: 11.78 MB (ratio 0.71:1)
    Time: 9.320 sec (0 m 9 s)

    But when I scan it with virustotal.com, all the other antivirus did not find any malware

    Whitelisting did not work for me:
    #echo "BC.Win.Exploit.CVE_2017_11241-6335400-2" >> /var/lib/clamav/local.ign2
    #systemctl restart clamd@amavisd.service

    Best regards

    ReplyDelete
  2. Please provide false positives through Clamav.net

    ReplyDelete