Difference between revisions of "Virus False Positive"
(Created page with "CanIt uses Clam Antivirus as the primary method for detecting viruses within attachments. ClamAV works by looking for known Virus Signatures, a certain segment of code that ca...") |
(→Decoding a ClamAV Signature) |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
CanIt uses Clam Antivirus as the primary method for detecting viruses within attachments. ClamAV works by looking for known Virus Signatures, a certain segment of code that can be used to identify the specific malicious behaviour. This method will in, rare instances, provide false-positives if a signature was wrongly or poorly identified. | CanIt uses Clam Antivirus as the primary method for detecting viruses within attachments. ClamAV works by looking for known Virus Signatures, a certain segment of code that can be used to identify the specific malicious behaviour. This method will in, rare instances, provide false-positives if a signature was wrongly or poorly identified. | ||
| + | |||
| + | ==Decoding a ClamAV Signature== | ||
| + | |||
| + | Before taking any steps to remove or ignore a signature you should first determine whether it is, in fact, overly aggressive. From the command line of a CanIt appliance or any other Linux machine with ClamAV installed you can run: | ||
| + | |||
| + | sigtool --find-sigs=Sanesecurity.Virus.Code.### | sigtool --decode | ||
| + | |||
| + | For example: | ||
| + | |||
| + | # sigtool --find-sigs=Sanesecurity.Phishing.Fake.26397 | sigtool --decode | ||
| + | VIRUS NAME: Sanesecurity.Phishing.Fake.26397 | ||
| + | TARGET TYPE: HTML | ||
| + | OFFSET: * | ||
| + | DECODED SIGNATURE: | ||
| + | unusual activity on your paypai | ||
==Request Removal== | ==Request Removal== | ||
| Line 21: | Line 36: | ||
/etc/init.d/clamav-daemon force-reload | /etc/init.d/clamav-daemon force-reload | ||
| + | |||
| + | <div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div> | ||
| + | [[category:All]][[category:Security]][[category:Configuration]][[category:Antivirus]] | ||
Latest revision as of 15:16, 21 April 2017
CanIt uses Clam Antivirus as the primary method for detecting viruses within attachments. ClamAV works by looking for known Virus Signatures, a certain segment of code that can be used to identify the specific malicious behaviour. This method will in, rare instances, provide false-positives if a signature was wrongly or poorly identified.
Decoding a ClamAV Signature
Before taking any steps to remove or ignore a signature you should first determine whether it is, in fact, overly aggressive. From the command line of a CanIt appliance or any other Linux machine with ClamAV installed you can run:
sigtool --find-sigs=Sanesecurity.Virus.Code.### | sigtool --decode
For example:
# sigtool --find-sigs=Sanesecurity.Phishing.Fake.26397 | sigtool --decode VIRUS NAME: Sanesecurity.Phishing.Fake.26397 TARGET TYPE: HTML OFFSET: * DECODED SIGNATURE: unusual activity on your paypai
Request Removal
The source that ClamAV uses to aggregate these signatures is SaneSecurity. You can report the false-positive to them at this address:
http://sanesecurity.com/support/false-positives/
Manual Removal (CanIt-Pro and Domain-Pro only)
If you'd like ClamAV to ignore specific virus signatures, this needs to be defined an all machines as follows:
Append to local 'ignore' file, where 'Sanesecurity.Virus.Code.###' is the name of the signature as defined in the "detail=" header of the false-positive:
echo 'Sanesecurity.Virus.Code.###' >> /var/lib/clamav/local.ign2
Restore ownership of the 'ignore' file to the clamav user:
chown clamav:clamav /var/lib/clamav/local.ign2
Restart ClamAV:
/etc/init.d/clamav-daemon force-reload
