[clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

Pavel Řezníček pavel.reznicek at evangnet.cz
Tue Apr 20 09:53:26 UTC 2021 

Humm, I’ve restarted my laptop and now the .fp file gets read and the 
detection gets ignored.

How come I need to restart the machine? Is there any service I could 
restart instead?

Pavel

Dne 17. 04. 21 v 20:55 Richard Graham via clamav-users napsal(a):
> Very curious!  It seems to work as expected on my Fedora 32 system.  
> If you run clamscan with the --debug option, you can see it load the 
> ".fp" files (all lots and lots of other stuff too!).
>
> *$ clamscan --version
> ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
> *
> *
> *
> *$ cat /var/lib/clamav/xmr-stak-linux.fp
> 2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz
> *
> *
> *
> *$ clamscan -av /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> Scanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> Scanning 
> /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak
> /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 12743774
> Engine version: 0.103.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 16.49 MB
> Data read: 1.99 MB (ratio 8.28:1)
> Time: 25.887 sec (0 m 25 s)
> Start Date: 2021:04:17 20:52:21
> End Date:   2021:04:17 20:52:47*
>
>
> On Tue, Apr 13, 2021 at 5:29 PM Pavel Řezníček 
> <pavel.reznicek at evangnet.cz <mailto:pavel.reznicek at evangnet.cz>> wrote:
>
>     Hello folks,
>
>     I am new to this mailing list. I’ve got a question related to
>     ClamAV’s
>     .fp files. Since I am a Ubuntu user, I asked my question on
>     askubuntu.com <http://askubuntu.com>:
>     https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2
>     <https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2>.
>
>     Got directed to a ClamAV forum so I am here. Copying my original post.
>
>     My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
>
>     Trying to make ClamAV ignore several files. These are almost
>     cryptocoin
>     miners which I do use. Cryptocoin miners get flagged by most
>     antivirus
>     programs for they can be distributed as malware (using other people’s
>     computers for the attacker’s profit). At the same time, they can
>     be used
>     for a tiny profit by the computer’s user himself, knowing what he is
>     doing. ClamAV also reports the miners as malware and I’d like to
>     teach
>     it to ignore the files I actually use, knowing what I am doing.
>
>     I also want to ignore the files on a per-file basis. Ignoring a whole
>     malware type can be dangerous.
>
>     Well, still no success here.
>
>     Read this manual page: http://pig.made-it.com/clamav.html
>     <http://pig.made-it.com/clamav.html>
>     <http://pig.made-it.com/clamav.html
>     <http://pig.made-it.com/clamav.html>>.
>
>     Then this manual page:
>     https://www.clamav.net/documents/allow-list-databases
>     <https://www.clamav.net/documents/allow-list-databases>
>     <https://www.clamav.net/documents/allow-list-databases
>     <https://www.clamav.net/documents/allow-list-databases>>.
>
>     Then this: https://www.clamav.net/documents/file-hash-signatures
>     <https://www.clamav.net/documents/file-hash-signatures>
>     <https://www.clamav.net/documents/file-hash-signatures
>     <https://www.clamav.net/documents/file-hash-signatures>>.
>
>     In all these documents, they state that all I have to do is:
>
>       * Create a file in the ClamAV database folder (on Ubuntu, it’s
>         /var/lib/clamav) with the |.fp| extension,
>       * place the file signatures therein, following the format
>         |MD5:SIZE:COMMENT|, one per line,
>           o |MD5| being the MD5 sum of the file,
>           o |SIZE| being the file size, and
>           o |COMMENT| being anything, defaulting to the file name.
>
>     However, this
>     <http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/
>     <http://www.draeath.net/blog/it/2016/10/01/ClamAV-Sigfile/>> blog
>     entry
>     states that the format has to be |MD5:SIZE:ID_NAME|, where:
>
>       * |ID| is a 6-digit identifier (can be the current date in the
>         |YYMMDD| format) and
>       * |NAME| is the file name *without the extension.*
>
>     Tried to follow even the second, restricted ruleset but to no avail.
>     Clamscan still marks the file as a virus.
>
>     I have got this file:
>
>     |clamav at precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1
>     clamav
>     clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
>
>     with this content:
>
>     |2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
>
>     |
>
>     Then I run |clamscan|:
>
>     |clamav at precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a
>     kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
>     /home/pavel/Installace/Těžba a
>     kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
>     Multios.Coinminer.Miner-6781728-2 FOUND ----------- SCAN SUMMARY
>     ----------- Known viruses: 8653609 Engine version: 0.102.4 Scanned
>     directories: 0 Scanned files: 1 Infected files: 1 Data scanned:
>     7.19 MB
>     Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
>
>     So I still get a detection. What am I doing wrong?
>
>     Cheers,
>     Pavel Řezníček
>
>
>     _______________________________________________
>
>     clamav-users mailing list
>     clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>     https://lists.clamav.net/mailman/listinfo/clamav-users
>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
>     Help us build a comprehensive ClamAV guide:
>     https://github.com/vrtadmin/clamav-faq
>     <https://github.com/vrtadmin/clamav-faq>
>
>     http://www.clamav.net/contact.html#ml
>     <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210420/1f9443b5/attachment.htm>

More information about the clamav-users mailing list