We're looking into a solution for this. On Wed, Feb 8, 2012 at 10:51 AM, Chuck Swiger <cswi...@mac.com> wrote:
> On Feb 8, 2012, at 7:25 AM, Yoshihara Takao wrote: > > Hi all, > > > > Now I use Snort-2.9.2.1 and clamd-0.97.3-3 on the same OS, Scientific > Linux > > 6.1 (i686). > > Since around a month ago, whenever daily clamscan is finished, the same > > following False Positive has been detected and the files have been > > mandatorily deleted: > > > > /etc/snort/rules/web-client.rules: CVE_2005_1342 FOUND > > /etc/snort/rules/shellcode.rules: Exploit.Alpha_Upper FOUND > > /etc/snort/rules/web-activex.rules: CVE_2011_3397-6 FOUND > > > > I thought this issue was FP and reported it to the site below, but it has > > still been detected even if I update the .cvd file and no fix has not > seemed > > to be provided. > > Snort includes rules which look for malware in network traffic. These > rules contain patterns which another scanner like ClamAV will correctly > associate with malware. This isn't a false positive, it's a legitimate > match. > > > I temporarily exclude "/etc/snort/rules" directory from the target one of > > clamscan. What should I do later? > > You should continue to exclude snort's rules from clamscan / clamdscan. > > What you're doing is effectively the same thing as installing two > different virus scanners on the same box. If you don't make an effort to > exclude one scanner's virus database location from being scanned by the > other scanner, and vice-versa, then you will end up with them trying to > quarantine or delete each other's malware database files. > > Regards, > -- > -Chuck > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > -- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
