[clamav-users] Whitelist Zip.Suspect.MiscDoubleExtension

Thu Sep 25 16:37:58 UTC 2014

The question he asked is are regex expressions allowed in the whitelist file. 
I've never looked into it so don't know, but it seems like it could be a useful 
feature although extremely easy to abuse.

What he would like to do is replace multiple similar entries that are causing FP's:
Zip.Suspect.ExecutableFax-zippwd-1
Zip.Suspect.ExecutableScan-zippwd-1
Zip.Suspect.ExecutablePhoto-zippwd-1
Zip.Suspect.ExecutableCopy-zippwd
Zip.Suspect.ExecutableProduct-zippwd
Zip.Suspect.ExecutablePhoto-zippwd-2
Zip.Suspect.ExecutablePurchaseOrder-zippwd-3
Zip.Suspect.ExecutableAirfare-zippwd-1
Zip.Suspect.MacroDoubleExtension-zippwd-5
Zip.Suspect.WinDoubleExtension-zippwd-2
Zip.Suspect.MiscDoubleExtension-zippwd-8
Zip.Suspect.FileName-zippwd-4

for a regex: Zip.Suspect.*DoubleExtension* so that one entry whitelists the 
entire class of Zip.Suspect.*DoubleExtension signatures.

The list is small now and not that inconvenient to pull out of the signature 
file. This one is from the current daily.cld file:

   sigtool -ldaily.cld |grep Zip\.Suspect

There may be more in main.cld - I didn't look.

dp

On 9/25/14 8:52 AM, Alain Zidouemba wrote:
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
>
> "To whitelist a specific signature from the database you just add its name
> into a local file called local.ign2 stored inside the database directory."
>
> - Alain
>
> On Thu, Sep 25, 2014 at 11:31 AM, Tim Edwards <tim.edwards at scorm.com> wrote:
>
>> The recent addition of Zip.Suspect.MiscDoubleExtension signatures has been
>> causing a lot of trouble for us, as it keeps getting flagged for completely
>> innocuous files such as foo_handle_pdf.js.
>>
>> I've been adding each signature to our whitelist, such
>> as Zip.Suspect.MiscDoubleExtension-1, Zip.Suspect.MiscDoubleExtension-2,
>> etc.  Is there a simple way to whitelist Zip.Suspect.MiscDoubleExtension-*
>> ?   I tried using a regex in the whitelist file to no avail.
>>
>>
>> Thanks,
>> Tim
>>
>> --
>> Tim
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml