[clamav-users] Whitelist databases/File whitelist - format?

Andy Ragusa (aragusa) aragusa at cisco.com
Thu May 7 15:51:56 UTC 2020 

Hi,

It looks like this issue might be related to https://bugzilla.clamav.net/show_bug.cgi?id=12217.  The problem is a bug in the clamav reporting code where the archive itself is whitelisted, but the contents are not.  This causes the archive to be reported, even though it has been whitelisted.

The clamav team is working on a fix for this, but you could temporarily try unpacking the archive and whitelisting the individual file that is being flagged, however if the file being flagged is html or javascript it is possible that it will still not work until 0.103, when the bug is fixed.

Thanks,
Andy



________________________________
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of Pascal De Meerleer via clamav-users <clamav-users at lists.clamav.net>
Sent: Thursday, May 7, 2020 7:44 AM
To: ClamAV users ML <clamav-users at lists.clamav.net>
Cc: Pascal De Meerleer <pascal.demeerleer at kbc.be>; G.W. Haywood <clamav at jubileegroup.co.uk>
Subject: Re: [clamav-users] Whitelist databases/File whitelist - format?

Public

Hi,

Hopefully this is clearer, it depicts the steps I took:

The file I try to whitelist is the following:
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war

The method I use is:
# sigtool --md5 /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war > /var/lib/clamav/whitelist.fp

The result is:
# cat /var/lib/clamav/whitelist.fp
a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner.war

Scanning the file using clamscan is:
# clamscan -i /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war: Win.Exploit.CVE_2012_1889-16 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6921006
Engine version: 0.102.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 125.63 MB
Data read: 14.14 MB (ratio 8.89:1)
Time: 60.377 sec (1 m 0 s)

OR using clamdscan
# clamdscan /usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
WARNING: Ignoring deprecated option ScanOnAccess at /etc/clamd.d/scan.conf:633
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war: Win.Exploit.CVE_2012_1889-16 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 48.522 sec (0 m 48 s)

Grtz,

Pascal De Meerleer
Systems Engineer Mainframe Platform
Tel. +32 2 448 21 03
IMS Support: imsbox at kbc.be or http://klein/ims_chatbox
KBC Groep NV, KBC H IOB - COMPUTE & STORAGE INFRASTRUCTURE
Egide Walschaertsstraat 3, 2800 Mechelen







-----Original Message-----
From: clamav-users <clamav-users-bounces at lists.clamav.net> On Behalf Of G.W. Haywood via clamav-users
Sent: Thursday, May 7, 2020 1:27 PM
To: Pascal De Meerleer via clamav-users <clamav-users at lists.clamav.net>
Cc: G.W. Haywood <clamav at jubileegroup.co.uk>
Subject: Re: [clamav-users] Whitelist databases/File whitelist - format?

Hi there,

On Thu, 7 May 2020, Pascal De Meerleer via clamav-users wrote:

> ...
> whitelisting a file themedesigner.war
>
> Creating an md5 signature and writing it to a file with extension .fp
> # sigtool --md5 themedesigner.war
> a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner
> (omitting the last extension, in this case .war)

It is not clear to me from your post exactly what you have done, and I specifically do not understand your comment

"(omitting the last extension, in this case .war)"

Why would you omit it?  Are you expecting to whitelist every file with a name which begins with "themedesigner"?

Have you tried _not_ omitting the file extension?

> Restarting the clamd scan service

Not necessary, you can signal clamd to reload the databases or just wait until something else does it (such as freshclam, or any scan).

> Check if whitelisting found using clamd and clamscan In both cases
> virus is still FOUND, not whitelisted
>
> Any idea what's wrong in my thinking or something I'm missing?

Please make your post much clearer.  What exactly is the name of the database file which you created, where in the filesystem did you put it, and what is the exact content of the database file?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Disclaimer <http://www.kbc.com/KBCmailDisclaimer>


_______________________________________________

clamav-users mailing list
clamav-users at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200507/16f66d40/attachment.htm>

More information about the clamav-users mailing list