Hi, I think there's a bug with ClamAV not honouring the contents of a .fp file within the database directory.
I've tested 0.101.2 as well as previous versions of ClamAV going back to 0.99.4 and the issue seems to have appeared as of 0.100.0 onwards. To re-create the issue: Find a zip file which you know reports an infection when scanned. Use sigtool --md5 to generate an FP sig of the zip file and save it in a <filename>.fp file in the databse directory. Use clamscan to scan the file and see that it still reports the file as being infected. The output from clamscan --debug shows the .fp file is being loaded, but it just doesn't seem to be being honoured for some reason. I see the same thing when I build ClamAV on macOS as well as when using the apt-get distribution on Ubuntu 18.04 Lastly, it only appears to be an issue with archive filetypes eg .zip, .dmg etc. Simple files are excluded as expected - similarly, if you generate an FP sig of a simple file and put that file within an archive, it correctly gets excluded. I'll clone the source from Git on Monday and have a dig through it myself to see if I can fix the bug, but thought I'd mention it here in case someone's already on it, or at least knows where I can start looking! Cheers Mark _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Bugzilla: http://bugzilla.clamav.net Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
