[clamav-users] how to avoid false positive in clamAV

Al Varnell alvarnell at mac.com
Wed Apr 5 05:25:53 EDT 2017


Not sure where on the internet you found these instructions, but I believe they are old. The new way is to use the ".ign2" extension containing <SignatureName> for signatures to be completely ignored and an ".fp" file with <MD5>:<FileSize>:<Comment> for individual files to be ignored so that the signature will still pick up any actual infected files.

Perhaps this site will help <http://pig.made-it.com/clamav.html>

-Al-

On Wed, Apr 05, 2017 at 01:49 AM, Gaurav Kumar Garg wrote:
> 
> Hi ClamAV user, developer,
> 
> I am new to clamAV. I like its design.
> 
> While scanning i saw few false positive virus. I search on internet and found out that i can avoid these false positive by writing md5 sum to local.ign file and putting this file in /var/lib/clamav/*  directory. then restarting clamd daemon.
> 
> 
> Its partially working, means it working when i scan false positive file with clamscan -d and its not working with clamdscan.
> 
> 
> Steps for creating local.ign file:
> 
> 
> $ sigtool --md5  my_file_name.exe >> local.ign
> 
> 
> after that i put this file in /var/lib/clamav/* directory and restarted clamd daemon.
> 
> 
> when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe then its not reporting false positive, its working perfectly.
> 
> 
> But when i scan this file using clamdscan then its still reporting false positive.
> 
> 
> Could anyone help me regarding this false positive avoidance.
> 
> 
> I can not submit my false positive file because of some business ethics and compliance.
> 
> 
> Thank you in advance,
> 
> 
> Regards,
> 
> Gaurav
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170405/21ee12c4/attachment.bin>


More information about the clamav-users mailing list