Re: [clamav-users] sigwhitelist.ign2 whitelist not working

2013-11-12 Thread Benny Pedersen
Andreas Schulze skrev den 2013-11-12 09:58: But it looks like clamav does not load/use/recognize all entries: $ clamscan --debug /tmp/falsepositive 2>&1 | grep -e 'local.ign2' -e 'Ignoring signature' LibClamAV debug: /var/lib/clamav/local.ign2 loaded LibClamAV debug: Ignoring signature Eicar-Te

Re: [clamav-users] How is Worm.Bagle.H-zippwd-1 detected? (was: sigwhitelist.ign2 whitelist not working)

2013-11-12 Thread Steve Basford
> clamav@debian-vm-07:~/clamav-devel$ sigtool --find-sigs=Worm.Bagle.H-zip > [main.db] Worm.Bagle.H-zippwd-1 > > What makes this one a special case is the extra " (Clam)" at the end of > the signature name. This is an old sig. Hi Dave, Thanks for the detailed write-up, the issue was a bit confus

Re: [clamav-users] How is Worm.Bagle.H-zippwd-1 detected? (was: sigwhitelist.ign2 whitelist not working)

2013-11-12 Thread David Raynor
On Tue, Nov 12, 2013 at 7:14 AM, Andreas Schulze wrote: > Am 12.11.2013 12:59 schrieb Andreas Schulze: > > I found a fantastic fact! > +1 > > other samplemessage: > $ clamdscan falsepositive falsepositive.ok > /tmp/falsepositive: Worm.Bagle.H-zippwd-1 FOUND > /tmp/falsepositive.ok: OK > >

Re: [clamav-users] How is Worm.Bagle.H-zippwd-1 detected? (was: sigwhitelist.ign2 whitelist not working)

2013-11-12 Thread Andreas Schulze
Am 12.11.2013 12:59 schrieb Andreas Schulze: > I found a fantastic fact! +1 other samplemessage: $ clamdscan falsepositive falsepositive.ok /tmp/falsepositive: Worm.Bagle.H-zippwd-1 FOUND /tmp/falsepositive.ok: OK --- SCAN SUMMARY --- Infected files: 1 Time: 0.061 sec (0 m 0 s)

[clamav-users] How is Worm.Bagle.H-zippwd-1 detected? (was: sigwhitelist.ign2 whitelist not working)

2013-11-12 Thread Andreas Schulze
Am 12.11.2013 12:39 schrieb Andreas Schulze: > > > We added a file "local.ign2" containing one line: "Worm.Bagle.H-zippwd-1" > > > clamscan called again and - nothing changed. Still marked as virus... > > > Any hints/ideas? I found a fantastic fact! For testing I have the message as flat file in /

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

2013-11-12 Thread Andreas Schulze
Am 12.11.2013 10:06 schrieb Steve Basford: > > > We added a file "local.ign2" containing one line: "Worm.Bagle.H-zippwd-1" > > clamscan called again and - nothing changed. Still marked as virus... > > Any hints/ideas? > > Hi Andreas, > > Make sure you don't have a space at the end of the sig nam

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

2013-11-12 Thread Steve Basford
> We added a file "local.ign2" containing one line: "Worm.Bagle.H-zippwd-1" > clamscan called again and - nothing changed. Still marked as virus... > Any hints/ideas? Hi Andreas, Make sure you don't have a space at the end of the sig name in the .ign2 file: "Sanesecurity.Malware.22454.ZipHeur"

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

2013-11-12 Thread Andreas Schulze
Am 11.11.2013 21:15 schrieb Benny Pedersen: > report them to sanesecuity maillist, not clamav maillist since its > unofficial sigs :) Benny, that's not the point here. In fact a feature does not work as expected. This must be discussed here. Funny, I just have the same issue here! We get messag