Hi,
It looks like this issue might be related to
https://bugzilla.clamav.net/show_bug.cgi?id=12217. The problem is a bug in the clamav reporting code where the archive itself is whitelisted, but the contents are not. This causes the archive to be reported, even though it has been whitelisted.
The clamav team is working on a fix for this, but you could temporarily try unpacking the archive and whitelisting the individual file that is being flagged, however if the file being flagged is html or javascript it is possible that it will still not work until 0.103, when the bug is fixed.
Thanks,
Andy
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Pascal De Meerleer via clamav-users <clamav-users@lists.clamav.net>
Sent: Thursday, May 7, 2020 7:44 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Pascal De Meerleer <pascal.demeerleer@kbc.be>; G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Whitelist databases/File whitelist - format?
Public
Hi,
Hopefully this is clearer, it depicts the steps I took:
The file I try to whitelist is the following:
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
The method I use is:
# sigtool --md5 /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war > /var/lib/clamav/whitelist.fp
The result is:
# cat /var/lib/clamav/whitelist.fp
a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner.war
Scanning the file using clamscan is:
# clamscan -i /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war: Win.Exploit.CVE_2012_1889-16 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6921006
Engine version: 0.102.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 125.63 MB
Data read: 14.14 MB (ratio 8.89:1)
Time: 60.377 sec (1 m 0 s)
OR using clamdscan
# clamdscan /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
WARNING: Ignoring deprecated option ScanOnAccess at /etc/clamd.d/scan.conf:633
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war: Win.Exploit.CVE_2012_1889-16 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 48.522 sec (0 m 48 s)
Grtz,
Pascal De Meerleer
Systems Engineer Mainframe Platform
Tel. +32 2 448 21 03
IMS Support: imsbox@kbc.be or
http://klein/ims_chatbox KBC Groep NV, KBC H IOB - COMPUTE & STORAGE INFRASTRUCTURE
Egide Walschaertsstraat 3, 2800 Mechelen
-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of G.W. Haywood via clamav-users
Sent: Thursday, May 7, 2020 1:27 PM
To: Pascal De Meerleer via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Whitelist databases/File whitelist - format?
Hi there,
On Thu, 7 May 2020, Pascal De Meerleer via clamav-users wrote:
> ...
> whitelisting a file themedesigner.war
>
> Creating an md5 signature and writing it to a file with extension .fp
> # sigtool --md5 themedesigner.war
> a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner
> (omitting the last extension, in this case .war)
It is not clear to me from your post exactly what you have done, and I specifically do not understand your comment
"(omitting the last extension, in this case .war)"
Why would you omit it? Are you expecting to whitelist every file with a name which begins with "themedesigner"?
Have you tried _not_ omitting the file extension?
> Restarting the clamd scan service
Not necessary, you can signal clamd to reload the databases or just wait until something else does it (such as freshclam, or any scan).
> Check if whitelisting found using clamd and clamscan In both cases
> virus is still FOUND, not whitelisted
>
> Any idea what's wrong in my thinking or something I'm missing?
Please make your post much clearer. What exactly is the name of the database file which you created, where in the filesystem did you put it, and what is the exact content of the database file?
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Disclaimer <
http://www.kbc.com/KBCmailDisclaimer>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
image001.png (1.85 KB)