If you run clamscan with "--debug" it will tell you which files it is loading, even the files inside a cvd or cld file. It will also remark about which signatures is skips when loading.
You should see these lines within your debug output: ... LibClamAV debug: daily.ign2 loaded ... LibClamAV debug: /var/lib/clamav/daily.cld loaded ... LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605 ... LibClamAV debug: main.ndb loaded ... Which of these rows you see is going to be affected by the contents of your database, but this is what I see with an up-to-date daily and main.cvd. The signature is in the latest main. The ignore is set in the latest daily (21562) and has been for weeks. Once you get to a fresh enough daily it will have the ignore set. If there is something else going on that is preventing clamscan from loading that daily.cld (e.g. file permissions, path difference) that would be the culprit. Hope this helps, Dave R. On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams < jasonjwwilli...@gmail.com> wrote: > Yessir: > > # sigtool -u /var/lib/clamav/daily.cld > > # grep -i 'Win.Trojan.Trojan-605' daily.ign > main:42:Win.Trojan.Trojan-605 > > On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba < > azidoue...@sourcefire.com> > wrote: > > > $ sigtool -u /usr/local/share/clamav/daily.cld > > > > $ grep -i 'Win.Trojan.Trojan-605' daily.ign > > main:42:Win.Trojan.Trojan-605 > > > > > > Same on your end? > > > > - Alain > > > > On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams < > > jasonjwwilli...@gmail.com> wrote: > > > > > We do. > > > > > > -J > > > > > > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba < > > > azidoue...@sourcefire.com> > > > wrote: > > > > > > > Jason: > > > > > > > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 > was > > > > dropped several weeks ago, but would only be reflected in your > > > installation > > > > if you have both main.cvd and daily.cvd. Please confirm. > > > > > > > > Thanks, > > > > > > > > - Alain > > > > > > > > > > > > > > > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams < > > > > jasonjwwilli...@gmail.com> wrote: > > > > > > > > > No ClamAV 0.98.7. > > > > > > > > > > -J > > > > > > > > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell <alvarn...@mac.com> > > > wrote: > > > > > > > > > > > I’m unable to replicate your findings: > > > > > > > > > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND > > > > > > > > > > > > Taking a look at the current daily.cld I see entries in both > ignore > > > > > > sections: > > > > > > > > > > > > daily.ign > > > > > > 1374 > > > > > > 002516 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > fake:1:Dont_remove_this_line > > > > > > ... > > > > > > main:42:Win.Trojan.Trojan-605 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > daily.ign2 > > > > > > > > > > > > 1072 002573 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > fake_dont_remove_this_line > > > > > > ... > > > > > > Win.Trojan.Trojan-605 > > > > > > > > > > > > I wonder if it’s engine specific? Are you using 0.99.x > > > > > > > > > > > > -Al- > > > > > > > > > > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote: > > > > > > > > > > > > > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605 > > > again > > > > > > > (daily 21557). > > > > > > > > > > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5 > > > > > > > > > > > > > > -J > > > > > > > > > > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com > > > > > > wrote: > > > > > > > > > > > > > >> The new database was just made available, so I recommend you > > hold > > > > off > > > > > > >> until you have the new mail.cvd v57 and daily.cvd v21466 > before > > > > > getting > > > > > > too > > > > > > >> excited about this. > > > > > > >> > > > > > > >> -Al- > > > > > > >> > > > > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote: > > > > > > >>> > > > > > > >>> As of the latest daily update, running ClamAV against the > EICAR > > > > test > > > > > > >>> string > > > > > > >>> reports Win.Trojan.Trojan-605 instead of > Eicar-Test-Signature. > > > > > > >>> > > > > > > >>> -J > > > > > > > > > > > > _______________________________________________ > > > > > > Help us build a comprehensive ClamAV guide: > > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > > > _______________________________________________ > > > > > Help us build a comprehensive ClamAV guide: > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > _______________________________________________ > > > > Help us build a comprehensive ClamAV guide: > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > _______________________________________________ > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- --- Dave Raynor Talos Security Intelligence and Research Group dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
