Why whithelisting signatures ?

Sometimes, Clamav and third party signatures generate some false positives. It means a non-harmfull file is detected as malware.

To correct this problem, you have to whitelist the signature.

How to whitelist a signature ?

You need to create a .ign2 file in the database directory of Clamav (usually /var/lib/clamav). In this file, you just have to write the name of the offending signature. Here is an example :

Whitelisting a signature from Clamav Official

The file is detected as a malware

clamscan -i /tmp/file.ext
/tmp/file.ext: CVE_2012_0773-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)


Creation of the whitelist file

echo "CVE_2012_0773-2" >> /var/lib/clamav/my_whitelist.ign2

Restart Clamav

/etc/init.d/clamav-daemon restart

Test again to verify the whitelist

clamscan -i /tmp/file.ext

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

The file is no longer considered malware.

Whitelisting a signature from third party signatures

The file is detected as a malware

clamscan -i /tmp/file.ext
/tmp/file.ext: SecuriteInfo.com.Adware.Skodna.Generic.JA.25338.10539.25885.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)


Creation of the whitelist file without the .UNOFFICIAL suffix

echo "SecuriteInfo.com.Adware.Skodna.Generic.JA.25338.10539.25885" >> /var/lib/clamav/my_whitelist.ign2

Restart Clamav

/etc/init.d/clamav-daemon restart

Test again to verify the whitelist

clamscan -i /tmp/file.ext

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

The file is no longer considered malware.

Whitelisting a YARA signature

The file is detected as a malware

clamscan -i /tmp/file.ext
/tmp/file.ext: YARA.SecuriteInfo_VBA_Exec_1.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)


Creation of the whitelist file without the .UNOFFICIAL suffix and .YARA prefix

echo "SecuriteInfo_VBA_Exec_1" >> /var/lib/clamav/my_whitelist.ign2

Restart Clamav

/etc/init.d/clamav-daemon restart

Test again to verify the whitelist

clamscan -i /tmp/file.ext

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

The file is no longer considered malware.

Tags

ANTIVIRUS CLAMAV



SecuriteInfo.com est une entreprise française de cybersécurité. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...