[clamav-users] how to avoid false positive in clamAV

[Mark Allan]

To whitelist specific files this way, you need to add the m5sum to a file with the .fp extension.  So, in your example, it should be sigtool --md5  my_file_name.exe >> local.fp

If you want to ignore the signature altogether, you add the signature name to a file with the extension ign2.

For what it's worth, this is on page 23 of the "signatures.pdf" document that ships with the ClamAV source code.

Best regards
Mark 

> On 5 Apr 2017, at 9:49 am, Gaurav Kumar Garg <gaurav.garg at uniscon.de> wrote:
> 
> Hi ClamAV user, developer,
> 
> I am new to clamAV. I like its design.
> 
> While scanning i saw few false positive virus. I search on internet and found out that i can avoid these false positive by writing md5 sum to local.ign file and putting this file in /var/lib/clamav/*  directory. then restarting clamd daemon.
> 
> 
> Its partially working, means it working when i scan false positive file with clamscan -d and its not working with clamdscan.
> 
> 
> Steps for creating local.ign file:
> 
> 
> $ sigtool --md5  my_file_name.exe >> local.ign
> 
> 
> after that i put this file in /var/lib/clamav/* directory and restarted clamd daemon.
> 
> 
> when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe then its not reporting false positive, its working perfectly.
> 
> 
> But when i scan this file using clamdscan then its still reporting false positive.
> 
> 
> Could anyone help me regarding this false positive avoidance.
> 
> 
> I can not submit my false positive file because of some business ethics and compliance.
> 
> 
> Thank you in advance,
> 
> 
> Regards,
> 
> Gaurav
> 
> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml