Mailing List Archive

On 8/20/2019 11:51 AM, Asok Kumar via clamav-users wrote:
> i am using ClamAV version 0.101.3 and using the parameters below and
> Heuristics.Limits.Exceeded FOUND because i have enabled it in
> scanning. how do i add specific files to the whitelist ?

This should probably be documented better on the website.

To whitelist a specific file, add its SHA1 fingerprint to local.sfp
in the clam database directory (any file that ends with .sfp will work)

To get the fingerprint, use the "sigtool" program included with clam.

sigtool --sha1 filename

this will return a string containing
SHA1:FileSize:filename

paste the whole string into local.sfp. You'll probably need to
create the local.sfp file the first time you do this as it's not
present by default.

clamscan will pick up the change immediately. If you use clamdscan,
you'll need to reload clamd.






-- Noel Jones

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Asok,

I’m extremely curious about the `--memory` you’re using with clamscan. I’m under the impression that is a feature added in some versions of ClamWin – but as far as I know, ClamWin hasn’t had a release 0.99.4. If I may ask, where did you get this version of ClamAV?

Regards,
Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Asok Kumar via clamav-users <clamav-users@lists.clamav.net>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Tuesday, August 20, 2019 at 12:53 PM
To: "clamav-users@lists.clamav.net" <clamav-users@lists.clamav.net>
Cc: Asok Kumar <mbaiter2@gmail.com>
Subject: [clamav-users] How do you add specific files to white list ?

i am using ClamAV version 0.101.3 and using the parameters below and Heuristics.Limits.Exceeded FOUND because i have enabled it in scanning. how do i add specific files to the whitelist ?

Please see below to get an idea of what i am talking about.
i want to whitelist opera_browser.dll and Skype.exe


X:\ClamAV>clamscan --memory --bell -i --detect-pua=yes --include-pua=Packed,PwTo
ol,NetTool,P2P,IRC,RAT,Tool,Spy,Server,Script --database=.\Data --tempdir=%TEMP
% --recursive=yes --allmatch=yes --bytecode=yes --bytecode-unsigned=yes --detect
-pua=yes --detect-structured=yes --scan-mail=yes --phishing-sigs=yes --phishing-
scan-urls=yes --heuristic-alerts=yes --heuristic-scan-precedence=no --normalize=
yes --scan-pe=yes --scan-elf=yes --scan-ole2=yes --scan-pdf=yes --scan-swf=yes -
-scan-html=yes --scan-xmldocs=yes --scan-hwp3=yes --scan-archive=yes --alert-bro
ken=yes --alert-encrypted=yes --alert-encrypted-archive=yes --alert-encrypted-do
c=yes --alert-macros=yes --alert-exceeds-max=yes --alert-phishing-ssl=yes --aler
t-phishing-cloak=yes --alert-partition-intersection=yes
Loading virus signature database, please wait... done
*** Scanning Programs in Computer Memory ***
*** Memory Scan: using ToolHelp ***

X:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe: Heuristics.Limits.
Exceeded FOUND
X:\Users\XXXXXXXXXX\AppData\Local\Programs\Opera\55.0.2994.59\opera_browser.dll:
Heuristics.Limits.Exceeded FOUND
X:\Program Files\Mozilla Firefox\xul.dll: Heuristics.Limits.Exceeded FOUND
X:\Windows\system32\Macromed\Flash\NPSWF64_32_0_0_223.dll: Heuristics.Limits.Exc
eeded FOUND

*** Scanned 117 processes - 1070 modules ***
*** Computer Memory Scan Completed ***


----------- SCAN SUMMARY -----------
Known viruses: 10440489
Engine version: 0.101.3
Scanned directories: 0
Scanned files: 1187
Infected files: 4
Data scanned: 1105.43 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 1491.685 sec (24 m 51 s)

On 20 August 2019 21:41:30 "Micah Snyder \(micasnyd\) via clamav-users"
<clamav-users@lists.clamav.net> wrote:
> Hi Asok,
>
>
>
> I’m extremely curious about the `--memory` you’re using with clamscan. I’m
> under the impression that is a feature added in some versions of ClamWin –
> but as far as I know, ClamWin hasn’t had a release 0.99.4. If I may ask,
> where did you get this version of ClamAV?
The core engine from clamwin...

http://oss.netfarm.it/clamav/

0.99.4...

http://www.clamwin.com/content/view/18/46/

Cheers,


Steve
Twitter: @sanesecurity

> On Aug 20, 2019, at 1:22 PM, Noel Jones <njones@megan.vbhcs.org> wrote:
>
> On 8/20/2019 11:51 AM, Asok Kumar via clamav-users wrote:
>> i am using ClamAV version 0.101.3 and using the parameters below and Heuristics.Limits.Exceeded FOUND because i have enabled it in scanning. how do i add specific files to the whitelist ?
>
> This should probably be documented better on the website.

We always welcome contributions to the FAQ ClamAV: https://github.com/Cisco-Talos/clamav-faq <https://github.com/Cisco-Talos/clamav-faq>

Just a pull request with the content you want to add will be good enough, I can pretty it up.

On Tue, 20 Aug 2019 at 22:51, Eric Tykwinski <eric-list@truenet.com>
wrote:
sigtool --md5 /path_to_file/libeay32.dll >> /var/lib/clamav/whitelist.fp

>
> File Contents:
> 59bde01a3d6a4e3eca97eb01e50fb346:2160112:libeay32.dll
>


thank you for an to the point and accurate answer and my problem is solved,
not cribbing about small issues but shouldn't we be using a more secure has
algorithm now a days ?

> not cribbing about small issues but shouldn't we be using a more secure
has algorithm now a days ?

found the correct sigtool parameters :)

--md5 [FILES] Generate MD5 checksum from stdin
or MD5 sigs for FILES
--sha1 [FILES] Generate SHA1 checksum from stdin
or SHA1 sigs for FILES
--sha256 [FILES] Generate SHA256 checksum from
stdin
or SHA256 sigs for FILES


>

I’m not aware of a way to make md5 collisions that also have the exact same file size. It would be nice to upgrade to SHA256 (and we have already prototyped the code to do so) but that would increase the size in-memory of the hash-based signatures rather significantly. Still, it is on our roadmap.

-Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Asok Kumar via clamav-users <clamav-users@lists.clamav.net>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Wednesday, August 21, 2019 at 12:47 AM
To: "clamav-users@lists.clamav.net" <clamav-users@lists.clamav.net>
Cc: Asok Kumar <mbaiter2@gmail.com>
Subject: Re: [clamav-users] How do you add specific files to white list ?

On Tue, 20 Aug 2019 at 22:51, Eric Tykwinski <eric-list@truenet.com<mailto:eric-list@truenet.com>> wrote:
sigtool --md5 /path_to_file/libeay32.dll >> /var/lib/clamav/whitelist.fp

File Contents:
59bde01a3d6a4e3eca97eb01e50fb346:2160112:libeay32.dll


thank you for an to the point and accurate answer and my problem is solved,
not cribbing about small issues but shouldn't we be using a more secure has algorithm now a days ?

Thanks Steve, I wasn’t aware of http://oss.netfarm.it/clamav/. That makes sense now.

-Micah


From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Steve Basford <steveb_clamav@sanesecurity.com>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Tuesday, August 20, 2019 at 4:58 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] How do you add specific files to white list ?


On 20 August 2019 21:41:30 "Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> wrote:
Hi Asok,

I’m extremely curious about the `--memory` you’re using with clamscan. I’m under the impression that is a feature added in some versions of ClamWin – but as far as I know, ClamWin hasn’t had a release 0.99.4. If I may ask, where did you get this version of ClamAV?

The core engine from clamwin...

http://oss.netfarm.it/clamav/

0.99.4...

http://www.clamwin.com/content/view/18/46/

Cheers,

Steve
Twitter: @sanesecurity