[clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

Pavel Řezníček pavel.reznicek at evangnet.cz
Tue Apr 13 15:27:34 UTC 2021 

Hello folks,

I am new to this mailing list. I’ve got a question related to ClamAV’s 
.fp files. Since I am a Ubuntu user, I asked my question on 
askubuntu.com: 
https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2. 
Got directed to a ClamAV forum so I am here. Copying my original post.

My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.

Trying to make ClamAV ignore several files. These are almost cryptocoin 
miners which I do use. Cryptocoin miners get flagged by most antivirus 
programs for they can be distributed as malware (using other people’s 
computers for the attacker’s profit). At the same time, they can be used 
for a tiny profit by the computer’s user himself, knowing what he is 
doing. ClamAV also reports the miners as malware and I’d like to teach 
it to ignore the files I actually use, knowing what I am doing.

I also want to ignore the files on a per-file basis. Ignoring a whole 
malware type can be dangerous.

Well, still no success here.

Read this manual page: http://pig.made-it.com/clamav.html 
<http://pig.made-it.com/clamav.html>.

Then this manual page: 
https://www.clamav.net/documents/allow-list-databases 
<https://www.clamav.net/documents/allow-list-databases>.

Then this: https://www.clamav.net/documents/file-hash-signatures 
<https://www.clamav.net/documents/file-hash-signatures>.

In all these documents, they state that all I have to do is:

  * Create a file in the ClamAV database folder (on Ubuntu, it’s
    /var/lib/clamav) with the |.fp| extension,
  * place the file signatures therein, following the format
    |MD5:SIZE:COMMENT|, one per line,
      o |MD5| being the MD5 sum of the file,
      o |SIZE| being the file size, and
      o |COMMENT| being anything, defaulting to the file name.

However, this 
<http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/> blog entry 
states that the format has to be |MD5:SIZE:ID_NAME|, where:

  * |ID| is a 6-digit identifier (can be the current date in the
    |YYMMDD| format) and
  * |NAME| is the file name *without the extension.*

Tried to follow even the second, restricted ruleset but to no avail. 
Clamscan still marks the file as a virus.

I have got this file:

|clamav at precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav 
clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |

with this content:

|2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar 
|

Then I run |clamscan|:

|clamav at precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a 
kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz 
/home/pavel/Installace/Těžba a 
kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz: 
Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY 
----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned 
directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB 
Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |

So I still get a detection. What am I doing wrong?

Cheers,
Pavel Řezníček

More information about the clamav-users mailing list