Hi.
I am setting up daily scanning and was figuring out how to whitelist
based on file signatures, and decided to use the eicar test files to
tune the settings. Used 'sigtool --md5 eicarcom2.zip > falsepossigs.fp'
to create the sig to whitelist and proceeded to run test scans and the
results were a little surprising:
eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicarcom2.zip: OK * whitelisted
eicar.com.txt: OK * by association? but why not 'eicar.com' too then}
eicar_com.zip: OK * by association?
This got me scratching my head, whitelisting the double zipped
'eicar.com' caused the zipped one and the 'eicar.com.txt' to be
whitelisted by association somehow, but not the raw 'eicar.com' file
(which is identical to 'eicar.com.txt' except for the name)??
I decided to test further and whitelisted the 'eicar.com' file itself
and scanned again, now the results were predictable, the 'eicar.com.txt'
also got whitelisted (as it has the same md5):
eicar.com: OK * whitelisted
eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicar.com.txt: OK * makes sense, same md5 sum
eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
To round this experiment off I then whitelisted the single zipped file
and the results were:
eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicar.com.txt: OK * by association? but why not 'eicar.com' too then}
eicar_com.zip: OK * whitelisted
Is this supposed to behave like this? I find it a little strange to
whitelist files based on checksums if a whitelisted archive contains
that file, is there maybe some config setting or flag that controls this
behavior that I missed?
Thanks beforehand
Haukur
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
