Hello folks,
I am new to this mailing list. I’ve got a question related to ClamAV’s
.fp files. Since I am a Ubuntu user, I asked my question on
askubuntu.com:
https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2.
Got directed to a ClamAV forum so I am here. Copying my original post.
My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
Trying to make ClamAV ignore several files. These are almost cryptocoin
miners which I do use. Cryptocoin miners get flagged by most antivirus
programs for they can be distributed as malware (using other people’s
computers for the attacker’s profit). At the same time, they can be used
for a tiny profit by the computer’s user himself, knowing what he is
doing. ClamAV also reports the miners as malware and I’d like to teach
it to ignore the files I actually use, knowing what I am doing.
I also want to ignore the files on a per-file basis. Ignoring a whole
malware type can be dangerous.
Well, still no success here.
Read this manual page: http://pig.made-it.com/clamav.html
<http://pig.made-it.com/clamav.html>.
Then this manual page:
https://www.clamav.net/documents/allow-list-databases
<https://www.clamav.net/documents/allow-list-databases>.
Then this: https://www.clamav.net/documents/file-hash-signatures
<https://www.clamav.net/documents/file-hash-signatures>.
In all these documents, they state that all I have to do is:
* Create a file in the ClamAV database folder (on Ubuntu, it’s
/var/lib/clamav) with the |.fp| extension,
* place the file signatures therein, following the format
|MD5:SIZE:COMMENT|, one per line,
o |MD5| being the MD5 sum of the file,
o |SIZE| being the file size, and
o |COMMENT| being anything, defaulting to the file name.
However, this
<http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/> blog entry
states that the format has to be |MD5:SIZE:ID_NAME|, where:
* |ID| is a 6-digit identifier (can be the current date in the
|YYMMDD| format) and
* |NAME| is the file name *without the extension.*
Tried to follow even the second, restricted ruleset but to no avail.
Clamscan still marks the file as a virus.
I have got this file:
|clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav
clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
with this content:
|2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
|
Then I run |clamscan|:
|clamav@precision-7510:~$ clamscan /home/pavel/Installace/T?žba\ a
kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
/home/pavel/Installace/T?žba a
kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY
----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned
directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB
Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
So I still get a detection. What am I doing wrong?
Cheers,
Pavel ?ezní?ek
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
I am new to this mailing list. I’ve got a question related to ClamAV’s
.fp files. Since I am a Ubuntu user, I asked my question on
askubuntu.com:
https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2.
Got directed to a ClamAV forum so I am here. Copying my original post.
My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
Trying to make ClamAV ignore several files. These are almost cryptocoin
miners which I do use. Cryptocoin miners get flagged by most antivirus
programs for they can be distributed as malware (using other people’s
computers for the attacker’s profit). At the same time, they can be used
for a tiny profit by the computer’s user himself, knowing what he is
doing. ClamAV also reports the miners as malware and I’d like to teach
it to ignore the files I actually use, knowing what I am doing.
I also want to ignore the files on a per-file basis. Ignoring a whole
malware type can be dangerous.
Well, still no success here.
Read this manual page: http://pig.made-it.com/clamav.html
<http://pig.made-it.com/clamav.html>.
Then this manual page:
https://www.clamav.net/documents/allow-list-databases
<https://www.clamav.net/documents/allow-list-databases>.
Then this: https://www.clamav.net/documents/file-hash-signatures
<https://www.clamav.net/documents/file-hash-signatures>.
In all these documents, they state that all I have to do is:
* Create a file in the ClamAV database folder (on Ubuntu, it’s
/var/lib/clamav) with the |.fp| extension,
* place the file signatures therein, following the format
|MD5:SIZE:COMMENT|, one per line,
o |MD5| being the MD5 sum of the file,
o |SIZE| being the file size, and
o |COMMENT| being anything, defaulting to the file name.
However, this
<http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/> blog entry
states that the format has to be |MD5:SIZE:ID_NAME|, where:
* |ID| is a 6-digit identifier (can be the current date in the
|YYMMDD| format) and
* |NAME| is the file name *without the extension.*
Tried to follow even the second, restricted ruleset but to no avail.
Clamscan still marks the file as a virus.
I have got this file:
|clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav
clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
with this content:
|2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
|
Then I run |clamscan|:
|clamav@precision-7510:~$ clamscan /home/pavel/Installace/T?žba\ a
kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
/home/pavel/Installace/T?žba a
kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY
----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned
directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB
Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
So I still get a detection. What am I doing wrong?
Cheers,
Pavel ?ezní?ek
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml