On Mon, Dec 26, 2016 at 08:24 PM, Mark Foley wrote:
>
> For my clamscan cron job, I turned on --detect-pua=yes. While it did detect
> some
> genuinely infected files, it also turned up a lot of false positives for
> PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1.
>
> In searching for a way to block just these specific PUA signatures, I found
> several reference on the web to putting these names in
> /var/lib/clamav/local.ign2:
>
> PUA.Win.Trojan.EmbeddedPDF-1
> PUA.Pdf.Trojan.EmbeddedJavaScript-1
>
> I found nothing in any of my clamav documentation mentioning this file (I'm
> running 0.99.2). However, that local.ign2 file did work.
>
> Question 1: is the use of this file officially documented anywhere? Likewise
> for
> another file mentioned, whitelist.ign2?
It’s in the signatures.pdf documentation, para 3.9. You can call it anything
you want as long as the file extension is “.ign2”.
> Question 2: I've also turned on 'DetectPUA yes' for clamd. Will clamd look at
> this local.ign2 file to exclude these signatures?
Yes.
> Question 3: Given the recent dialog in this list about false positives, could
> the Win.Trojan.Toa- signatures be added to this file for at least
> temporary
> ignoring?
They can (and have been for ClamXav) but given that these are being dropped as
we speak, it’s probably not worth the effort.
> I tried adding the several distinct ones found on my system and, upon
> starting clamscan got the errors:
>
> LibClamAV Error: cli_loadign: No signature name provided
> LibClamAV Error: cli_loadign: Problem parsing database at line 17
> LibClamAV Error: Can't load /var/lib/clamav/local.ign2: Malformed database
> LibClamAV Error: cli_loaddbdir(): error loading database
> /var/lib/clamav/local.ign2
> ERROR: Malformed database
>
> Further research showed that the format for entries in local.ign2 is
>
> Repository.Name.Number
>
> Just entering "Win.Trojan.Toa-5366523-0" apparently doesn't work. Not sure
> what
> the correct syntax would be for these Win.Trojan.Toa culprits, if this
> mechanism
> would even work for these at all.
That will work, so you must have a typo of some sort at line 17.
-Al-
>
> Thanks, --Mark
smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml