Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2
pavel.reznicek at evangnet
Apr 13, 2021, 8:27 AM
Post #1 of 6 (656 views)
Permalink
Hello folks,

I am new to this mailing list. I’ve got a question related to ClamAV’s
.fp files. Since I am a Ubuntu user, I asked my question on
askubuntu.com:
https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2.
Got directed to a ClamAV forum so I am here. Copying my original post.

My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.

Trying to make ClamAV ignore several files. These are almost cryptocoin
miners which I do use. Cryptocoin miners get flagged by most antivirus
programs for they can be distributed as malware (using other people’s
computers for the attacker’s profit). At the same time, they can be used
for a tiny profit by the computer’s user himself, knowing what he is
doing. ClamAV also reports the miners as malware and I’d like to teach
it to ignore the files I actually use, knowing what I am doing.

I also want to ignore the files on a per-file basis. Ignoring a whole
malware type can be dangerous.

Well, still no success here.

Read this manual page: http://pig.made-it.com/clamav.html
<http://pig.made-it.com/clamav.html>.

Then this manual page:
https://www.clamav.net/documents/allow-list-databases
<https://www.clamav.net/documents/allow-list-databases>.

Then this: https://www.clamav.net/documents/file-hash-signatures
<https://www.clamav.net/documents/file-hash-signatures>.

In all these documents, they state that all I have to do is:

* Create a file in the ClamAV database folder (on Ubuntu, it’s
/var/lib/clamav) with the |.fp| extension,
* place the file signatures therein, following the format
|MD5:SIZE:COMMENT|, one per line,
o |MD5| being the MD5 sum of the file,
o |SIZE| being the file size, and
o |COMMENT| being anything, defaulting to the file name.

However, this
<http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/> blog entry
states that the format has to be |MD5:SIZE:ID_NAME|, where:

* |ID| is a 6-digit identifier (can be the current date in the
|YYMMDD| format) and
* |NAME| is the file name *without the extension.*

Tried to follow even the second, restricted ruleset but to no avail.
Clamscan still marks the file as a virus.

I have got this file:

|clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav
clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |

with this content:

|2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
|

Then I run |clamscan|:

|clamav@precision-7510:~$ clamscan /home/pavel/Installace/T?žba\ a
kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
/home/pavel/Installace/T?žba a
kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY
----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned
directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB
Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |

So I still get a detection. What am I doing wrong?

Cheers,
Pavel ?ezní?ek


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2 [ In reply to ]
clamav-users at lists
Apr 17, 2021, 11:55 AM
Post #2 of 6 (656 views)
Permalink
Very curious! It seems to work as expected on my Fedora 32 system. If you
run clamscan with the --debug option, you can see it load the ".fp" files
(all lots and lots of other stuff too!).



*$ clamscan --versionClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021*



*$ cat /var/lib/clamav/xmr-stak-linux.fp
2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz*
















*$ clamscan -av
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz:
OK----------- SCAN SUMMARY -----------Known viruses: 12743774Engine
version: 0.103.2Scanned directories: 0Scanned files: 1Infected files: 0Data
scanned: 16.49 MBData read: 1.99 MB (ratio 8.28:1)Time: 25.887 sec (0 m 25
s)Start Date: 2021:04:17 20:52:21End Date: 2021:04:17 20:52:47*


On Tue, Apr 13, 2021 at 5:29 PM Pavel ?ezní?ek <pavel.reznicek@evangnet.cz>
wrote:

> Hello folks,
>
> I am new to this mailing list. I’ve got a question related to ClamAV’s
> .fp files. Since I am a Ubuntu user, I asked my question on
> askubuntu.com:
>
> https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2.
>
> Got directed to a ClamAV forum so I am here. Copying my original post.
>
> My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
>
> Trying to make ClamAV ignore several files. These are almost cryptocoin
> miners which I do use. Cryptocoin miners get flagged by most antivirus
> programs for they can be distributed as malware (using other people’s
> computers for the attacker’s profit). At the same time, they can be used
> for a tiny profit by the computer’s user himself, knowing what he is
> doing. ClamAV also reports the miners as malware and I’d like to teach
> it to ignore the files I actually use, knowing what I am doing.
>
> I also want to ignore the files on a per-file basis. Ignoring a whole
> malware type can be dangerous.
>
> Well, still no success here.
>
> Read this manual page: http://pig.made-it.com/clamav.html
> <http://pig.made-it.com/clamav.html>.
>
> Then this manual page:
> https://www.clamav.net/documents/allow-list-databases
> <https://www.clamav.net/documents/allow-list-databases>.
>
> Then this: https://www.clamav.net/documents/file-hash-signatures
> <https://www.clamav.net/documents/file-hash-signatures>.
>
> In all these documents, they state that all I have to do is:
>
> * Create a file in the ClamAV database folder (on Ubuntu, it’s
> /var/lib/clamav) with the |.fp| extension,
> * place the file signatures therein, following the format
> |MD5:SIZE:COMMENT|, one per line,
> o |MD5| being the MD5 sum of the file,
> o |SIZE| being the file size, and
> o |COMMENT| being anything, defaulting to the file name.
>
> However, this
> <http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/> blog entry
> states that the format has to be |MD5:SIZE:ID_NAME|, where:
>
> * |ID| is a 6-digit identifier (can be the current date in the
> |YYMMDD| format) and
> * |NAME| is the file name *without the extension.*
>
> Tried to follow even the second, restricted ruleset but to no avail.
> Clamscan still marks the file as a virus.
>
> I have got this file:
>
> |clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav
> clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
>
> with this content:
>
> |2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
>
> |
>
> Then I run |clamscan|:
>
> |clamav@precision-7510:~$ clamscan /home/pavel/Installace/T?žba\ a
> kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
> /home/pavel/Installace/T?žba a
> kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
> Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY
> ----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned
> directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB
> Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
>
> So I still get a detection. What am I doing wrong?
>
> Cheers,
> Pavel ?ezní?ek
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2 [ In reply to ]
clamav-users at lists
Apr 17, 2021, 2:55 PM
Post #3 of 6 (656 views)
Permalink
Oops, my first email text formatting may have destroyed the contents.
Here's another try.

On Sat, Apr 17, 2021 at 8:55 PM Richard Graham <rickhg12hs@gmail.com> wrote:
> >
> > Very curious! It seems to work as expected on my Fedora 32 system. If
> you run clamscan with the --debug option, you can see it load the ".fp"
> files (all lots and lots of other stuff too!).
> >
> > $ clamscan --version
> > ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
> >
> > $ cat /var/lib/clamav/xmr-stak-linux.fp
> > 2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz
> >
> > $ clamscan -av /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> > Scanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> > Scanning
> /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak
> > /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz: OK
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 12743774
> > Engine version: 0.103.2
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 16.49 MB
> > Data read: 1.99 MB (ratio 8.28:1)
> > Time: 25.887 sec (0 m 25 s)
> > Start Date: 2021:04:17 20:52:21
> > End Date: 2021:04:17 20:52:47
Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2 [ In reply to ]
pavel.reznicek at evangnet
Apr 20, 2021, 2:53 AM
Post #4 of 6 (654 views)
Permalink
Humm, I’ve restarted my laptop and now the .fp file gets read and the
detection gets ignored.

How come I need to restart the machine? Is there any service I could
restart instead?

Pavel

Dne 17. 04. 21 v 20:55 Richard Graham via clamav-users napsal(a):
> Very curious!  It seems to work as expected on my Fedora 32 system. 
> If you run clamscan with the --debug option, you can see it load the
> ".fp" files (all lots and lots of other stuff too!).
>
> *$ clamscan --version
> ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
> *
> *
> *
> *$ cat /var/lib/clamav/xmr-stak-linux.fp
> 2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz
> *
> *
> *
> *$ clamscan -av /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> Scanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> Scanning
> /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak
> /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 12743774
> Engine version: 0.103.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 16.49 MB
> Data read: 1.99 MB (ratio 8.28:1)
> Time: 25.887 sec (0 m 25 s)
> Start Date: 2021:04:17 20:52:21
> End Date:   2021:04:17 20:52:47*
>
>
> On Tue, Apr 13, 2021 at 5:29 PM Pavel ?ezní?ek
> <pavel.reznicek@evangnet.cz <mailto:pavel.reznicek@evangnet.cz>> wrote:
>
> Hello folks,
>
> I am new to this mailing list. I’ve got a question related to
> ClamAV’s
> .fp files. Since I am a Ubuntu user, I asked my question on
> askubuntu.com <http://askubuntu.com>:
> https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2
> <https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2>.
>
> Got directed to a ClamAV forum so I am here. Copying my original post.
>
> My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
>
> Trying to make ClamAV ignore several files. These are almost
> cryptocoin
> miners which I do use. Cryptocoin miners get flagged by most
> antivirus
> programs for they can be distributed as malware (using other people’s
> computers for the attacker’s profit). At the same time, they can
> be used
> for a tiny profit by the computer’s user himself, knowing what he is
> doing. ClamAV also reports the miners as malware and I’d like to
> teach
> it to ignore the files I actually use, knowing what I am doing.
>
> I also want to ignore the files on a per-file basis. Ignoring a whole
> malware type can be dangerous.
>
> Well, still no success here.
>
> Read this manual page: http://pig.made-it.com/clamav.html
> <http://pig.made-it.com/clamav.html>
> <http://pig.made-it.com/clamav.html
> <http://pig.made-it.com/clamav.html>>.
>
> Then this manual page:
> https://www.clamav.net/documents/allow-list-databases
> <https://www.clamav.net/documents/allow-list-databases>
> <https://www.clamav.net/documents/allow-list-databases
> <https://www.clamav.net/documents/allow-list-databases>>.
>
> Then this: https://www.clamav.net/documents/file-hash-signatures
> <https://www.clamav.net/documents/file-hash-signatures>
> <https://www.clamav.net/documents/file-hash-signatures
> <https://www.clamav.net/documents/file-hash-signatures>>.
>
> In all these documents, they state that all I have to do is:
>
>   * Create a file in the ClamAV database folder (on Ubuntu, it’s
>     /var/lib/clamav) with the |.fp| extension,
>   * place the file signatures therein, following the format
>     |MD5:SIZE:COMMENT|, one per line,
>       o |MD5| being the MD5 sum of the file,
>       o |SIZE| being the file size, and
>       o |COMMENT| being anything, defaulting to the file name.
>
> However, this
> <http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/
> <http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/>> blog
> entry
> states that the format has to be |MD5:SIZE:ID_NAME|, where:
>
>   * |ID| is a 6-digit identifier (can be the current date in the
>     |YYMMDD| format) and
>   * |NAME| is the file name *without the extension.*
>
> Tried to follow even the second, restricted ruleset but to no avail.
> Clamscan still marks the file as a virus.
>
> I have got this file:
>
> |clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1
> clamav
> clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
>
> with this content:
>
> |2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
>
> |
>
> Then I run |clamscan|:
>
> |clamav@precision-7510:~$ clamscan /home/pavel/Installace/T?žba\ a
> kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
> /home/pavel/Installace/T?žba a
> kryptom?ny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
> Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY
> ----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned
> directories: 0 Scanned files: 1 Infected files: 1 Data scanned:
> 7.19 MB
> Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
>
> So I still get a detection. What am I doing wrong?
>
> Cheers,
> Pavel ?ezní?ek
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2 [ In reply to ]
clamav-users at lists
Apr 20, 2021, 7:55 AM
Post #5 of 6 (654 views)
Permalink
On Tue, Apr 20, 2021 at 11:54 AM Pavel ?ezní?ek <pavel.reznicek@evangnet.cz>
wrote:

> Humm, I’ve restarted my laptop and now the .fp file gets read and the
> detection gets ignored.
>
> How come I need to restart the machine? Is there any service I could
> restart instead?
>
A restart shouldn't be necessary. Is that behavior repeatable? Are you
sure you're using `clamscan` and not `clamdscan`?

I don't think clamscan uses any service, although clamdscan does. When
observing `clamscan --debug ...` or `strace clamscan ...` output, I can see
the ".fp" files being loaded each time clamscan is executed.

Maybe have a look at the details of what is actually being executed and the
details of that execution?

Good luck!
Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2 [ In reply to ]
pavel.reznicek at evangnet
Apr 20, 2021, 12:24 PM
Post #6 of 6 (654 views)
Permalink
I can't reproduce the issue any more. ? Tried to create a new .fp file
with another signature and both the files, the old and the new, get
parsed properly now. This is a bit spooky. Nevertheless, thank you for
your assistance, Richard!

Should I discover the same behavior again, I'll report as soon as possible.

BTW. yes, I don't even have clamd & clamdscan installed so I am pretty
sure I had been running /clamscan./

Dne 20. 04. 21 v 16:55 Richard Graham via clamav-users napsal(a):
> On Tue, Apr 20, 2021 at 11:54 AM Pavel ?ezní?ek
> <pavel.reznicek@evangnet.cz <mailto:pavel.reznicek@evangnet.cz>> wrote:
>
> Humm, I’ve restarted my laptop and now the .fp file gets read and
> the detection gets ignored.
>
> How come I need to restart the machine? Is there any service I
> could restart instead?
>
> A restart shouldn't be necessary.  Is that behavior repeatable?  Are
> you sure you're using `clamscan` and not `clamdscan`?
>
> I don't think clamscan uses any service, although clamdscan does. When
> observing `clamscan --debug ...` or `strace clamscan ...` output, I
> can see the ".fp" files being loaded each time clamscan is executed.
>
> Maybe have a look at the details of what is actually being executed
> and the details of that execution?
>
> Good luck!
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal