Société de Sécurité Informatique - Audit Firewall Appliances
La sécurité informatique - La sécurité des informations

Whitelisting signatures for Clamav antivirus


Why whithelisting signatures ?


Sometimes, Clamav and third party signatures generate some false positives. It means a non-harmfull file is detected as malware.

To correct this problem, you have to whitelist the signature.

How to whitelist a signature ?


You need to create a .ign2 file in the database directory of Clamav (usually /var/lib/clamav). In this file, you just have to write the name of the offending signature. Here is an example :

Whitelisting a signature from Clamav Official

The file is detected as a malware

clamscan -i /tmp/file.ext
/tmp/file.ext: CVE_2012_0773-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

Creation of the whitelist file

echo "CVE_2012_0773-2" >> /var/lib/clamav/my_whitelist.ign2

Restart Clamav

/etc/init.d/clamav-daemon restart

Test again to verify the whitelist

clamscan -i /tmp/file.ext

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

The file is no longer considered malware.



Whitelisting a signature from third party signatures

The file is detected as a malware

clamscan -i /tmp/file.ext
/tmp/file.ext: SecuriteInfo.com.Adware.Skodna.Generic.JA.25338.10539.25885.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

Creation of the whitelist file without the .UNOFFICIAL suffix

echo "SecuriteInfo.com.Adware.Skodna.Generic.JA.25338.10539.25885" >> /var/lib/clamav/my_whitelist.ign2

Restart Clamav

/etc/init.d/clamav-daemon restart

Test again to verify the whitelist

clamscan -i /tmp/file.ext

----------- SCAN SUMMARY -----------
Known viruses: 7634245
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.78 MB
Data read: 0.28 MB (ratio 2.80:1)
Time: 0.096 sec (0 m 0 s)

The file is no longer considered malware.

Share this article

Envoyer cet article par Email ! Imprimer cet article ! Exporter cet article en PDF ! Facebook Twitter Google Bookmarks

SecuriteInfo.com est une entreprise française de sécurité informatique. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités.
Twitter SecuriteInfo.com
Facebook SecuriteInfo.com
BOINC calcul scientifique
© 2004-2016 - Tous droits réservés - SecuriteInfo.com