Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. devel
how to avoid false positive in clamAV
gaurav.garg at uniscon
Apr 5, 2017, 1:49 AM
Post #1 of 2 (618 views)
Permalink
Hi ClamAV user, developer,

I am new to clamAV. I like its design.

While scanning i saw few false positive virus. I search on internet and
found out that i can avoid these false positive by writing md5 sum to
local.ign file and putting this file in /var/lib/clamav/* directory.
then restarting clamd daemon.


Its partially working, means it working when i scan false positive file
with clamscan -d and its not working with clamdscan.


Steps for creating local.ign file:


$ sigtool --md5 my_file_name.exe >> local.ign


after that i put this file in /var/lib/clamav/* directory and restarted
clamd daemon.


when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe
then its not reporting false positive, its working perfectly.


But when i scan this file using clamdscan then its still reporting false
positive.


Could anyone help me regarding this false positive avoidance.


I can not submit my false positive file because of some business ethics
and compliance.


Thank you in advance,


Regards,

Gaurav


_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: [clamav-users] how to avoid false positive in clamAV [ In reply to ]
markjallan at gmail
Apr 5, 2017, 2:16 AM
Post #2 of 2 (618 views)
Permalink
To whitelist specific files this way, you need to add the m5sum to a file with the .fp extension. So, in your example, it should be sigtool --md5 my_file_name.exe >> local.fp

If you want to ignore the signature altogether, you add the signature name to a file with the extension ign2.

For what it's worth, this is on page 23 of the "signatures.pdf" document that ships with the ClamAV source code.

Best regards
Mark

> On 5 Apr 2017, at 9:49 am, Gaurav Kumar Garg <gaurav.garg@uniscon.de> wrote:
>
> Hi ClamAV user, developer,
>
> I am new to clamAV. I like its design.
>
> While scanning i saw few false positive virus. I search on internet and found out that i can avoid these false positive by writing md5 sum to local.ign file and putting this file in /var/lib/clamav/* directory. then restarting clamd daemon.
>
>
> Its partially working, means it working when i scan false positive file with clamscan -d and its not working with clamdscan.
>
>
> Steps for creating local.ign file:
>
>
> $ sigtool --md5 my_file_name.exe >> local.ign
>
>
> after that i put this file in /var/lib/clamav/* directory and restarted clamd daemon.
>
>
> when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe then its not reporting false positive, its working perfectly.
>
>
> But when i scan this file using clamdscan then its still reporting false positive.
>
>
> Could anyone help me regarding this false positive avoidance.
>
>
> I can not submit my false positive file because of some business ethics and compliance.
>
>
> Thank you in advance,
>
>
> Regards,
>
> Gaurav
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal