[clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

Richard Graham rickhg12hs at gmail.com
Sat Apr 17 18:55:49 UTC 2021 

Very curious!  It seems to work as expected on my Fedora 32 system.  If you
run clamscan with the --debug option, you can see it load the ".fp" files
(all lots and lots of other stuff too!).



*$ clamscan --versionClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021*



*$ cat /var/lib/clamav/xmr-stak-linux.fp
2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz*
















*$ clamscan -av
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz:
OK----------- SCAN SUMMARY -----------Known viruses: 12743774Engine
version: 0.103.2Scanned directories: 0Scanned files: 1Infected files: 0Data
scanned: 16.49 MBData read: 1.99 MB (ratio 8.28:1)Time: 25.887 sec (0 m 25
s)Start Date: 2021:04:17 20:52:21End Date:   2021:04:17 20:52:47*


On Tue, Apr 13, 2021 at 5:29 PM Pavel Řezníček <pavel.reznicek at evangnet.cz>
wrote:

> Hello folks,
>
> I am new to this mailing list. I’ve got a question related to ClamAV’s
> .fp files. Since I am a Ubuntu user, I asked my question on
> askubuntu.com:
>
> https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2.
>
> Got directed to a ClamAV forum so I am here. Copying my original post.
>
> My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
>
> Trying to make ClamAV ignore several files. These are almost cryptocoin
> miners which I do use. Cryptocoin miners get flagged by most antivirus
> programs for they can be distributed as malware (using other people’s
> computers for the attacker’s profit). At the same time, they can be used
> for a tiny profit by the computer’s user himself, knowing what he is
> doing. ClamAV also reports the miners as malware and I’d like to teach
> it to ignore the files I actually use, knowing what I am doing.
>
> I also want to ignore the files on a per-file basis. Ignoring a whole
> malware type can be dangerous.
>
> Well, still no success here.
>
> Read this manual page: http://pig.made-it.com/clamav.html
> <http://pig.made-it.com/clamav.html>.
>
> Then this manual page:
> https://www.clamav.net/documents/allow-list-databases
> <https://www.clamav.net/documents/allow-list-databases>.
>
> Then this: https://www.clamav.net/documents/file-hash-signatures
> <https://www.clamav.net/documents/file-hash-signatures>.
>
> In all these documents, they state that all I have to do is:
>
>   * Create a file in the ClamAV database folder (on Ubuntu, it’s
>     /var/lib/clamav) with the |.fp| extension,
>   * place the file signatures therein, following the format
>     |MD5:SIZE:COMMENT|, one per line,
>       o |MD5| being the MD5 sum of the file,
>       o |SIZE| being the file size, and
>       o |COMMENT| being anything, defaulting to the file name.
>
> However, this
> <http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/> blog entry
> states that the format has to be |MD5:SIZE:ID_NAME|, where:
>
>   * |ID| is a 6-digit identifier (can be the current date in the
>     |YYMMDD| format) and
>   * |NAME| is the file name *without the extension.*
>
> Tried to follow even the second, restricted ruleset but to no avail.
> Clamscan still marks the file as a virus.
>
> I have got this file:
>
> |clamav at precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav
> clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
>
> with this content:
>
> |2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
>
> |
>
> Then I run |clamscan|:
>
> |clamav at precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a
> kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
> /home/pavel/Installace/Těžba a
> kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
> Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY
> ----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned
> directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB
> Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
>
> So I still get a detection. What am I doing wrong?
>
> Cheers,
> Pavel Řezníček
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210417/f003b5e5/attachment.htm>

More information about the clamav-users mailing list