Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - [email protected]

Learn how to whitelist signatures for ClamAV antivirus - Step-by-Step Guide


ANTIVIRUS CLAMAV

Why whithelisting signatures ?


Sometimes, Clamav and third party signatures generate some false positives. It means a non-harmfull file is detected as malware.

To correct this problem, you have to whitelist the signature.

How to whitelist a signature ?


You need to create a .ign2 file in the database directory of Clamav (usually /var/lib/clamav). In this file, you just have to write the name of the offending signature. Here is an example :

Whitelisting a signature from Clamav Official

The file is detected as a malware

clamscan -i /tmp/file.ext
/tmp/file.ext: CVE_2012_0773-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

Creation of the whitelist file

echo "CVE_2012_0773-2" >> /var/lib/clamav/my_whitelist.ign2

Restart Clamav

/etc/init.d/clamav-daemon restart

Test again to verify the whitelist

clamscan -i /tmp/file.ext

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

The file is no longer considered malware.



Whitelisting a signature from third party signatures

The file is detected as a malware

clamscan -i /tmp/file.ext
/tmp/file.ext: SecuriteInfo.com.Adware.Skodna.Generic.JA.25338.10539.25885.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

Creation of the whitelist file without the .UNOFFICIAL suffix

echo "SecuriteInfo.com.Adware.Skodna.Generic.JA.25338.10539.25885" >> /var/lib/clamav/my_whitelist.ign2

Restart Clamav

/etc/init.d/clamav-daemon restart

Test again to verify the whitelist

clamscan -i /tmp/file.ext

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

The file is no longer considered malware.

Whitelisting a YARA signature

The file is detected as a malware

clamscan -i /tmp/file.ext
/tmp/file.ext: YARA.SecuriteInfo_VBA_Exec_1.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

Creation of the whitelist file without the .UNOFFICIAL suffix and .YARA prefix

echo "SecuriteInfo_VBA_Exec_1" >> /var/lib/clamav/my_whitelist.ign2

Restart Clamav

/etc/init.d/clamav-daemon restart

Test again to verify the whitelist

clamscan -i /tmp/file.ext

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

The file is no longer considered malware.


Tags


ANTIVIRUS CLAMAV


SecuriteInfo.com est une entreprise française de cybersécurité. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...
Facebook SecuriteInfo.com
Twitter de SecuriteInfo.com
Github de SecuriteInfo.com
Calculs scientifiques distribués contre les maladies, équipe SecuriteInfo.com
Profil Virustotal de SecuriteInfo.com
© 2000-2023 - Tous droits réservés SecuriteInfo.com