[clamav-users] Possible FP Doc.Trojan.Agent-6923110-0
Graeme Fowler
G.E.Fowler at lboro.ac.uk
Wed Apr 10 17:21:48 UTC 2019
Thanks; I'm well aware of that.
I can well understand the rationale behind the signature - however it looks like the code is established in normal usage. The user in question requested a more recent copy of the template sheet they work with from the upstream organisation, which too was blocked at the boundary (as I expected).
I'm loathe to put it into the ignore list as there's obviously good reason for the sig in the first place; what I can't see is whether any other Clam sites have seen the same issue, hence raising it here.
It may be that the sig is a bit too broad, but equally it may be entirely based on observed malware - and if we've got genuine files using the same code as malware or the other way round, that leaves us in a bit of a pickle.
Graeme
________________________________________
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of Brent Clark via clamav-users <clamav-users at lists.clamav.net>
Sent: 10 April 2019 13:38
To: ClamAV users ML
Cc: Brent Clark
Subject: Re: [clamav-users] Possible FP Doc.Trojan.Agent-6923110-0
To whitelist a specific signature from the database you just add the
signature name into a local file with the .ign2 extension and store it
inside /var/lib/clamav.
i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2
HTH
Regards
Brent Clark
More information about the clamav-users
mailing list