[clamav-users] Usage questions on local.ign2
Mark Foley
mfoley at novatec-inc.com
Tue Dec 27 04:24:23 UTC 2016
For my clamscan cron job, I turned on --detect-pua=yes. While it did detect some
genuinely infected files, it also turned up a lot of false positives for
PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1.
In searching for a way to block just these specific PUA signatures, I found
several reference on the web to putting these names in /var/lib/clamav/local.ign2:
PUA.Win.Trojan.EmbeddedPDF-1
PUA.Pdf.Trojan.EmbeddedJavaScript-1
I found nothing in any of my clamav documentation mentioning this file (I'm
running 0.99.2). However, that local.ign2 file did work.
Question 1: is the use of this file officially documented anywhere? Likewise for
another file mentioned, whitelist.ign2?
Question 2: I've also turned on 'DetectPUA yes' for clamd. Will clamd look at
this local.ign2 file to exclude these signatures?
Question 3: Given the recent dialog in this list about false positives, could
the Win.Trojan.Toa-XXXX signatures be added to this file for at least temporary
ignoring? I tried adding the several distinct ones found on my system and, upon
starting clamscan got the errors:
LibClamAV Error: cli_loadign: No signature name provided
LibClamAV Error: cli_loadign: Problem parsing database at line 17
LibClamAV Error: Can't load /var/lib/clamav/local.ign2: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database
/var/lib/clamav/local.ign2
ERROR: Malformed database
Further research showed that the format for entries in local.ign2 is
Repository.Name.Number
Just entering "Win.Trojan.Toa-5366523-0" apparently doesn't work. Not sure what
the correct syntax would be for these Win.Trojan.Toa culprits, if this mechanism
would even work for these at all.
Thanks, --Mark
More information about the clamav-users
mailing list