Re: [clamav-users] Usage questions on local.ign2

2016-12-26 Thread Al Varnell 

On Mon, Dec 26, 2016 at 08:24 PM, Mark Foley wrote:
> 
> For my clamscan cron job, I turned on --detect-pua=yes. While it did detect 
> some
> genuinely infected files, it also turned up a lot of false positives for
> PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. 
> 
> In searching for a way to block just these specific PUA signatures, I found
> several reference on the web to putting these names in 
> /var/lib/clamav/local.ign2:
> 
> PUA.Win.Trojan.EmbeddedPDF-1
> PUA.Pdf.Trojan.EmbeddedJavaScript-1
> 
> I found nothing in any of my clamav documentation mentioning this file (I'm
> running 0.99.2). However, that local.ign2 file did work. 
>  
> Question 1: is the use of this file officially documented anywhere? Likewise 
> for
> another file mentioned, whitelist.ign2?

It’s in the signatures.pdf documentation, para 3.9. You can call it anything 
you want as long as the file extension is “.ign2”.

> Question 2: I've also turned on 'DetectPUA yes' for clamd. Will clamd look at
> this local.ign2 file to exclude these signatures?

Yes.

> Question 3: Given the recent dialog in this list about false positives, could
> the Win.Trojan.Toa- signatures be added to this file for at least 
> temporary
> ignoring?

They can (and have been for ClamXav) but given that these are being dropped as 
we speak, it’s probably not worth the effort.

> I tried adding the several distinct ones found on my system and, upon
> starting clamscan got the errors:
> 
> LibClamAV Error: cli_loadign: No signature name provided
> LibClamAV Error: cli_loadign: Problem parsing database at line 17
> LibClamAV Error: Can't load /var/lib/clamav/local.ign2: Malformed database
> LibClamAV Error: cli_loaddbdir(): error loading database
> /var/lib/clamav/local.ign2
> ERROR: Malformed database
> 
> Further research showed that the format for entries in local.ign2 is
> 
> Repository.Name.Number
> 
> Just entering "Win.Trojan.Toa-5366523-0" apparently doesn't work.  Not sure 
> what
> the correct syntax would be for these Win.Trojan.Toa culprits, if this 
> mechanism
> would even work for these at all. 

That will work, so you must have a typo of some sort at line 17.

-Al-

> 
> Thanks, --Mark


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Usage questions on local.ign2

2016-12-26 Thread Mark Foley 
For my clamscan cron job, I turned on --detect-pua=yes. While it did detect some
genuinely infected files, it also turned up a lot of false positives for
PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. 

In searching for a way to block just these specific PUA signatures, I found
several reference on the web to putting these names in 
/var/lib/clamav/local.ign2:

PUA.Win.Trojan.EmbeddedPDF-1
PUA.Pdf.Trojan.EmbeddedJavaScript-1

I found nothing in any of my clamav documentation mentioning this file (I'm
running 0.99.2). However, that local.ign2 file did work. 

Question 1: is the use of this file officially documented anywhere? Likewise for
another file mentioned, whitelist.ign2?

Question 2: I've also turned on 'DetectPUA yes' for clamd. Will clamd look at
this local.ign2 file to exclude these signatures?

Question 3: Given the recent dialog in this list about false positives, could
the Win.Trojan.Toa- signatures be added to this file for at least temporary
ignoring? I tried adding the several distinct ones found on my system and, upon
starting clamscan got the errors:

LibClamAV Error: cli_loadign: No signature name provided
LibClamAV Error: cli_loadign: Problem parsing database at line 17
LibClamAV Error: Can't load /var/lib/clamav/local.ign2: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database
/var/lib/clamav/local.ign2
ERROR: Malformed database

Further research showed that the format for entries in local.ign2 is

Repository.Name.Number

Just entering "Win.Trojan.Toa-5366523-0" apparently doesn't work.  Not sure what
the correct syntax would be for these Win.Trojan.Toa culprits, if this mechanism
would even work for these at all. 

Thanks, --Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml