Mailing List Archive

> How do I purge a CustomDatabaseURL correctly?

Did you remove that DB from your FreshClam config and / or
clamav-unofficial-signatures script so it won't re-download it?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Thu, 2 Jan 2020, info@schroeffu.ch wrote:

> ... custom signatures file securiteinfohtml.hdb in ClamAV with false
> positives, so I deleted the file /var/lib/clamav/securiteinfohtml.hdb
> and restarted clamav (freshclam, clamd). But ClamAV seems still
> using this signature DB, it is still detecting viruses from this
> deleted database. So, somewhere this database is still not purged
> or saved in a place i don't know.

Perhaps freshclam simply replaced the deleted database, did you check?

> How do I purge a CustomDatabaseURL correctly?

If my guess is correct, in addition to removing the database itself
you need to tell freshclam not to download the securiteinfohtml.hdb
database. Either remove or comment the DatabaseCustomURL line (not
CustomDatabaseURL) in your freshclam.conf file.

> ClamAV 0.101.4 fromdefault Server Repo

A lot has changed since that version of ClamAV, I recommend upgrading.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thx G.W. and J.R for your answers.

Yes i deleted the line in /etc/clamav/freshclam.conf ~2 weeks ago already, before it was:

DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfo.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfo.ign2
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/javascript.ndb
#DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(personal url path here, removed)/securiteinfohtml.hdb ##deleted this line completely
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfoascii.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfoold.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for mailing list)/securiteinfopdf.hdb

> Perhaps freshclam simply replaced the deleted database, did you check?

Yes, the file is not re-created in /var/lib/clamav/securiteinfohtml.hdb

But even with server reboot the signatures from that file are still hitting, for example:

Wed, 01 Jan 2020 21:45:17 CET
Clamd: msg-137649-12.html was infected: SecuriteInfo.com.HTML-8188.UNOFFICIAL

Update: Ohh, just while writhing this mail i searched for "HTML-8188" in any file at /var/lib/clamav/* and now I see the javascript.ndb is containing this Signature too. My fault! My guess Signatures named with HTML-* are from securiteinfohtml.hdb ... Sorry!

root@XXX01:/var/lib/clamav# grep -Ri HTML-8188 *
javascript.ndb:SecuriteInfo.com.HTML-8188:3:*:2f2f636c636b2e7275
javascript.ndb:SecuriteInfo.com.HTML-8188:3:*:2f2f7777772e6d617a696e67657267696a6f6e2e636f6d

All good :-) Going to remove javascript.ndb too. Sorry again.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> All good :-) Going to remove javascript.ndb too. Sorry again.

Rather than deleting entire signature databases because of one false
positive, why don't you either:

1. Whitelist the file (if it's static)
or
2. Whitelist the signature(s)

Both are a quick google search and very easy to do...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Thu, 2 Jan 2020, J.R. via clamav-users wrote:

>> All good :-) Going to remove javascript.ndb too. Sorry again.
>
> Rather than deleting entire signature databases because of one false
> positive, why don't you either:
>
> 1. Whitelist the file (if it's static)
> or
> 2. Whitelist the signature(s)
> ...

And report the false positive to the ClamAV team?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

Le 03/01/2020 à 00:06, G.W. Haywood via clamav-users a écrit :
> Hi there,
>
> On Thu, 2 Jan 2020, J.R. via clamav-users wrote:
>
>>> All good :-) Going to remove javascript.ndb too. Sorry again.
>>
>> Rather than deleting entire signature databases because of one false
>> positive, why don't you either:
>>
>> 1. Whitelist the file (if it's static)
>>  or
>> 2. Whitelist the signature(s)
>> ...
>
> And report the false positive to the ClamAV team?

All false positives from SecuriteInfo.com signatures should be sent to
webmaster@securiteinfo.com.
Thank you.

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>> And report the false positive to the ClamAV team?
>
> All false positives from SecuriteInfo.com signatures should be sent to
> webmaster@securiteinfo.com.
> Thank you.

As this false positive was from unofficial signatures i am going to report it to
webmaster@securiteinfo.com.

>> All good :-) Going to remove javascript.ndb too. Sorry again.
>
> Rather than deleting entire signature databases because of one false
> positive, why don't you either:
>
> 1. Whitelist the file (if it's static)
> or
> 2. Whitelist the signature(s)
>
> Both are a quick google search and very easy to do...

Thank you, but for the moment my setup is using ClamAV only for virus/malware (and quarantine+report them to admins), the mentiones falsepositive signature was against spam. For the moment I am strictly using spamassassin for antispam and clamav for antivirus. This will change later this year when changing to rspamd for antispam.

but yes, for sure you are right about whitelisting, again thanks for the hints

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Sent from my iPad

On Jan 3, 2020, at 00:32, info@schroeffu.ch wrote:
>
>>> And report the false positive to the ClamAV team?
>>
>> All false positives from SecuriteInfo.com signatures should be sent to
>> webmaster@securiteinfo.com.
>> Thank you.
>
> As this false positive was from unofficial signatures i am going to report it to
> webmaster@securiteinfo.com.

It’s unofficial because it’s not from ClamAV, but it is from SecuriteInfo so it’s very much appropriate to report the them as an FP.

-Al-

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml