Hi, It looks like this issue might be related to https://bugzilla.clamav.net/show_bug.cgi?id=12217. The problem is a bug in the clamav reporting code where the archive itself is whitelisted, but the contents are not. This causes the archive to be reported, even though it has been whitelisted.
The clamav team is working on a fix for this, but you could temporarily try unpacking the archive and whitelisting the individual file that is being flagged, however if the file being flagged is html or javascript it is possible that it will still not work until 0.103, when the bug is fixed. Thanks, Andy ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Pascal De Meerleer via clamav-users <clamav-users@lists.clamav.net> Sent: Thursday, May 7, 2020 7:44 AM To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: Pascal De Meerleer <pascal.demeerl...@kbc.be>; G.W. Haywood <cla...@jubileegroup.co.uk> Subject: Re: [clamav-users] Whitelist databases/File whitelist - format? Public Hi, Hopefully this is clearer, it depicts the steps I took: The file I try to whitelist is the following: /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war The method I use is: # sigtool --md5 /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war > /var/lib/clamav/whitelist.fp The result is: # cat /var/lib/clamav/whitelist.fp a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner.war Scanning the file using clamscan is: # clamscan -i /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war: Win.Exploit.CVE_2012_1889-16 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6921006 Engine version: 0.102.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 125.63 MB Data read: 14.14 MB (ratio 8.89:1) Time: 60.377 sec (1 m 0 s) OR using clamdscan # clamdscan /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war WARNING: Ignoring deprecated option ScanOnAccess at /etc/clamd.d/scan.conf:633 /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war: Win.Exploit.CVE_2012_1889-16 FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 48.522 sec (0 m 48 s) Grtz, Pascal De Meerleer Systems Engineer Mainframe Platform Tel. +32 2 448 21 03 IMS Support: ims...@kbc.be or http://klein/ims_chatbox KBC Groep NV, KBC H IOB - COMPUTE & STORAGE INFRASTRUCTURE Egide Walschaertsstraat 3, 2800 Mechelen -----Original Message----- From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of G.W. Haywood via clamav-users Sent: Thursday, May 7, 2020 1:27 PM To: Pascal De Meerleer via clamav-users <clamav-users@lists.clamav.net> Cc: G.W. Haywood <cla...@jubileegroup.co.uk> Subject: Re: [clamav-users] Whitelist databases/File whitelist - format? Hi there, On Thu, 7 May 2020, Pascal De Meerleer via clamav-users wrote: > ... > whitelisting a file themedesigner.war > > Creating an md5 signature and writing it to a file with extension .fp > # sigtool --md5 themedesigner.war > a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner > (omitting the last extension, in this case .war) It is not clear to me from your post exactly what you have done, and I specifically do not understand your comment "(omitting the last extension, in this case .war)" Why would you omit it? Are you expecting to whitelist every file with a name which begins with "themedesigner"? Have you tried _not_ omitting the file extension? > Restarting the clamd scan service Not necessary, you can signal clamd to reload the databases or just wait until something else does it (such as freshclam, or any scan). > Check if whitelisting found using clamd and clamscan In both cases > virus is still FOUND, not whitelisted > > Any idea what's wrong in my thinking or something I'm missing? Please make your post much clearer. What exactly is the name of the database file which you created, where in the filesystem did you put it, and what is the exact content of the database file? -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Disclaimer <http://www.kbc.com/KBCmailDisclaimer> _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml