[clamav-users] How do you add specific files to white list ?

[Asok Kumar via clamav-users]

i am using ClamAV version 0.101.3 and using the parameters below and
Heuristics.Limits.Exceeded
FOUND because i have enabled it in scanning. how do i add specific files to
the whitelist ?

Please see below to get an idea of what i am talking about.
i want to whitelist opera_browser.dll and Skype.exe


X:\ClamAV>clamscan --memory --bell -i --detect-pua=yes
--include-pua=Packed,PwTo
ol,NetTool,P2P,IRC,RAT,Tool,Spy,Server,Script --database=.\Data
 --tempdir=%TEMP
% --recursive=yes --allmatch=yes --bytecode=yes --bytecode-unsigned=yes
--detect
-pua=yes --detect-structured=yes --scan-mail=yes --phishing-sigs=yes
--phishing-
scan-urls=yes --heuristic-alerts=yes --heuristic-scan-precedence=no
--normalize=
yes --scan-pe=yes --scan-elf=yes --scan-ole2=yes --scan-pdf=yes
--scan-swf=yes -
-scan-html=yes --scan-xmldocs=yes --scan-hwp3=yes --scan-archive=yes
--alert-bro
ken=yes --alert-encrypted=yes --alert-encrypted-archive=yes
--alert-encrypted-do
c=yes --alert-macros=yes --alert-exceeds-max=yes --alert-phishing-ssl=yes
--aler
t-phishing-cloak=yes --alert-partition-intersection=yes
Loading virus signature database, please wait... done
 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***

X:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe:
Heuristics.Limits.
Exceeded FOUND
X:\Users\XX\AppData\Local\Programs\Opera\55.0.2994.59\opera_browser.dll:

Heuristics.Limits.Exceeded FOUND
X:\Program Files\Mozilla Firefox\xul.dll: Heuristics.Limits.Exceeded FOUND
X:\Windows\system32\Macromed\Flash\NPSWF64_32_0_0_223.dll:
Heuristics.Limits.Exc
eeded FOUND

 *** Scanned 117 processes - 1070 modules ***
 *** Computer Memory Scan Completed ***


--- SCAN SUMMARY ---
Known viruses: 10440489
Engine version: 0.101.3
Scanned directories: 0
Scanned files: 1187
Infected files: 4
Data scanned: 1105.43 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 1491.685 sec (24 m 51 s)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do you add specific files to white list ?

[Noel Jones]

On 8/20/2019 11:51 AM, Asok Kumar via clamav-users wrote:
i am using ClamAV version 0.101.3 and using the parameters below and 
Heuristics.Limits.Exceeded FOUND because i have enabled it in 
scanning. how do i add specific files to the whitelist ?


This should probably be documented better on the website.

To whitelist a specific file, add its SHA1 fingerprint to local.sfp 
in the clam database directory (any file that ends with .sfp will work)


To get the fingerprint, use the "sigtool" program included with clam.

sigtool --sha1 filename

this will return a string containing
SHA1:FileSize:filename

paste the whole string into local.sfp.  You'll probably need to 
create the local.sfp file the first time you do this as it's not 
present by default.


clamscan will pick up the change immediately.  If you use clamdscan, 
you'll need to reload clamd.







  -- Noel Jones

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do you add specific files to white list ?

[Micah Snyder (micasnyd) via clamav-users]

Hi Asok,

I’m extremely curious about the `--memory` you’re using with clamscan.  I’m 
under the impression that is a feature added in some versions of ClamWin – but 
as far as I know, ClamWin hasn’t had a release 0.99.4.  If I may ask, where did 
you get this version of ClamAV?

Regards,
Micah

From: clamav-users  on behalf of Asok 
Kumar via clamav-users 
Reply-To: ClamAV users ML 
Date: Tuesday, August 20, 2019 at 12:53 PM
To: "clamav-users@lists.clamav.net" 
Cc: Asok Kumar 
Subject: [clamav-users] How do you add specific files to white list ?

i am using ClamAV version 0.101.3 and using the parameters below and 
Heuristics.Limits.Exceeded FOUND because i have enabled it in scanning. how do 
i add specific files to the whitelist ?

Please see below to get an idea of what i am talking about.
i want to whitelist opera_browser.dll and Skype.exe


X:\ClamAV>clamscan --memory --bell -i --detect-pua=yes --include-pua=Packed,PwTo
ol,NetTool,P2P,IRC,RAT,Tool,Spy,Server,Script --database=.\Data  --tempdir=%TEMP
% --recursive=yes --allmatch=yes --bytecode=yes --bytecode-unsigned=yes --detect
-pua=yes --detect-structured=yes --scan-mail=yes --phishing-sigs=yes --phishing-
scan-urls=yes --heuristic-alerts=yes --heuristic-scan-precedence=no --normalize=
yes --scan-pe=yes --scan-elf=yes --scan-ole2=yes --scan-pdf=yes --scan-swf=yes -
-scan-html=yes --scan-xmldocs=yes --scan-hwp3=yes --scan-archive=yes --alert-bro
ken=yes --alert-encrypted=yes --alert-encrypted-archive=yes --alert-encrypted-do
c=yes --alert-macros=yes --alert-exceeds-max=yes --alert-phishing-ssl=yes --aler
t-phishing-cloak=yes --alert-partition-intersection=yes
Loading virus signature database, please wait... done
 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***

X:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe: Heuristics.Limits.
Exceeded FOUND
X:\Users\XX\AppData\Local\Programs\Opera\55.0.2994.59\opera_browser.dll:
Heuristics.Limits.Exceeded FOUND
X:\Program Files\Mozilla Firefox\xul.dll: Heuristics.Limits.Exceeded FOUND
X:\Windows\system32\Macromed\Flash\NPSWF64_32_0_0_223.dll: Heuristics.Limits.Exc
eeded FOUND

 *** Scanned 117 processes - 1070 modules ***
 *** Computer Memory Scan Completed ***


--- SCAN SUMMARY ---
Known viruses: 10440489
Engine version: 0.101.3
Scanned directories: 0
Scanned files: 1187
Infected files: 4
Data scanned: 1105.43 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 1491.685 sec (24 m 51 s)


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do you add specific files to white list ?

[Steve Basford]

On 20 August 2019 21:41:30 "Micah Snyder \(micasnyd\) via clamav-users" 
 wrote:

Hi Asok,



I’m extremely curious about the `--memory` you’re using with clamscan.  I’m 
under the impression that is a feature added in some versions of ClamWin – 
but as far as I know, ClamWin hasn’t had a release 0.99.4.  If I may ask, 
where did you get this version of ClamAV?

The core engine from clamwin...

http://oss.netfarm.it/clamav/

0.99.4...

http://www.clamwin.com/content/view/18/46/

Cheers,


Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do you add specific files to white list ?

[Joel Esler (jesler) via clamav-users]

> On Aug 20, 2019, at 1:22 PM, Noel Jones  wrote:
> 
> On 8/20/2019 11:51 AM, Asok Kumar via clamav-users wrote:
>> i am using ClamAV version 0.101.3 and using the parameters below and 
>> Heuristics.Limits.Exceeded FOUND because i have enabled it in scanning. how 
>> do i add specific files to the whitelist ?
> 
> This should probably be documented better on the website.

We always welcome contributions to the FAQ ClamAV: 
https://github.com/Cisco-Talos/clamav-faq 


Just a pull request with the content you want to add will be good enough, I can 
pretty it up.

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] About ClamAV 0.101.3 builds on AIX6.1

[Tsutomu Oyamada]

Hi Micah,

I'm sorry for the slow response.
It was another issue on AIX6.1, but your advice was helpful in AIX7.1.
I was able to build correctly in my environment.

Thank you so much.

Regards,
Tsutomu Oyamada

On Tue, 13 Aug 2019 16:14:48 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> Hi Tsutomu,
> 
> It looks like you are seeing a similar issue to what these folks had when 
> building libtool on Solaris:
> https://forums.gentoo.org/viewtopic-t-1080858-start-0.html
> 
> Here the user solved it by changing the NM environment variable: 
> https://lists.gnu.org/archive/html/libtool/2012-11/msg00014.html
> 
> Ex:
> NM=/usr/xpg4/bin/nm\ \-p
> export NM
> 
> For Solaris 10 in the past, we've found that if you're not using the OpenCSW 
> tools you need to use gnm (gnu's nm utility).  The same is probably true for 
> AIX.  
> Please install gnm and give this a try (I've made the assumption that it'll 
> install to /usr/local.  Of course adjust the path as needed. I'm not sure if 
> the "-p" argument is required:
> 
> ./configure NM=/usr/local/bin/gnm AR="/usr/bin/ar -X64" LDFLAGS="-maix64 
> -Wl,-bbigtoc -lbsd -lclamav" CFLAGS="-maix64" CXXFLAGS="-maix64" 
> LDFLAGS="-maix64 -Wl,-bbigtoc -lbsd" --prefix=/usr/lib/clamav 
> --exec-prefix=/usr/lib/clamav --bindir=/usr/lib/clamav 
> --sbindir=/usr/lib/clamav --sysconfdir=/etc/clamav --libdir=/usr/lib/clamav 
> --datarootdir=/usr/lib/clamav --with-dbdir=/usr/lib/clamav --disable-clamav 
> --enable-shared --disable-static --disable-zlib-vcheck --with-pcre 
> --with-openssl=/opt/freeware --enable-strni
> 
> Regards,
> Micah 
> 
> ?On 8/12/19, 10:04 PM, "clamav-users on behalf of Tsutomu Oyamada" 
>  
> wrote:
> 
> Hi, all
> 
> I am trying to build ClamAV 0.101.3 on AIX6.1.
> I did the following procedure, but it fails to make.
> What can I do?
> Excuse me in a long sentence below.
> 
> 1. Download clamav-0.101.3.tar.gz package.
> 2. Extract package.
> 3. Execute configure
> 
> AR="/usr/bin/ar -X64" LDFLAGS="-maix64 -Wl,-bbigtoc -lbsd -lclamav"
> ./configure CFLAGS="-maix64" CXXFLAGS="-maix64" LD
> FLAGS="-maix64 -Wl,-bbigtoc -lbsd" --prefix=/usr/lib/clamav 
> --exec-prefix=/usr/lib/clamav --bindir=/usr/lib/clamav --sbindir=/us
> r/lib/clamav --sysconfdir=/etc/clamav --libdir=/usr/lib/clamav 
> --datarootdir=/usr/lib/clamav --with-dbdir=/usr/lib/clamav --disa
> ble-clamav --enable-shared --disable-static --disable-zlib-vcheck 
> --with-pcre --with-openssl=/opt/freeware --enable-strni
> 
> checking for g++... g++
> checking whether the C++ compiler works... yes
> checking for C++ compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C++ compiler... yes
> checking whether g++ accepts -g... yes
> checking build system type... powerpc-ibm-aix6.1.0.0
> checking host system type... powerpc-ibm-aix6.1.0.0
> checking target system type... powerpc-ibm-aix6.1.0.0
> creating target.h - canonical system defines
> checking for a BSD-compatible install... config/install-sh -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... config/install-sh -c -d
> checking for gawk... no
> checking for mawk... no
> checking for nawk... nawk
> checking whether make sets $(MAKE)... yes
> checking for style of include used by make... GNU
> checking whether make supports nested variables... yes
> checking whether UID '0' is supported by ustar format... yes
> checking whether GID '0' is supported by ustar format... yes
> checking how to create a ustar tar archive... gnutar
> checking dependency style of g++... gcc3
> checking whether make supports nested variables... (cached) yes
> checking for gcc... gcc
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking whether gcc understands -c and -o together... yes
> checking dependency style of gcc... gcc3
> checking the archiver (/usr/bin/ar -X64) interface... ar
> checking how to run the C preprocessor... gcc -E
> checking for grep that handles long lines and -e... /usr/bin/grep
> checking for egrep... /usr/bin/grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking minix/config.h usability... no
> checking minix/config.h presence... no
> checking for minix/config.h... no
>

Re: [clamav-users] How do you add specific files to white list ?

[Asok Kumar via clamav-users]

 On Tue, 20 Aug 2019 at 22:51, Eric Tykwinski 
wrote:
sigtool --md5 /path_to_file/libeay32.dll >> /var/lib/clamav/whitelist.fp

>
> File Contents:
> 59bde01a3d6a4e3eca97eb01e50fb346:2160112:libeay32.dll
>


thank you for an to the point and accurate answer and my problem is solved,
not cribbing about small issues but shouldn't we be using a more secure has
algorithm now a days ?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do you add specific files to white list ?

[Asok Kumar via clamav-users]

> not cribbing about small issues but shouldn't we be using a more secure
has algorithm now a days ?

found the correct sigtool parameters :)

--md5 [FILES]  Generate MD5 checksum from stdin
   or MD5 sigs for FILES
--sha1 [FILES] Generate SHA1 checksum from stdin
   or SHA1 sigs for FILES
--sha256 [FILES]   Generate SHA256 checksum from
stdin
   or SHA256 sigs for FILES


>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml