Difference between revisions of "Virus False Positive"

From Roaring Penguin
Jump to: navigation, search
(Manual Removal (CanIt-Pro and Domain-Pro only))
(Manual Removal (CanIt-Pro and Domain-Pro only))
Line 23: Line 23:
  
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
[[category:All]][[category:Security]][[category:Configuration]]
+
[[category:All]][[category:Security]][[category:Configuration]][[category:Antivirus]]

Revision as of 14:31, 15 November 2016

CanIt uses Clam Antivirus as the primary method for detecting viruses within attachments. ClamAV works by looking for known Virus Signatures, a certain segment of code that can be used to identify the specific malicious behaviour. This method will in, rare instances, provide false-positives if a signature was wrongly or poorly identified.

Request Removal

The source that ClamAV uses to aggregate these signatures is SaneSecurity. You can report the false-positive to them at this address:

 http://sanesecurity.com/support/false-positives/

Manual Removal (CanIt-Pro and Domain-Pro only)

If you'd like ClamAV to ignore specific virus signatures, this needs to be defined an all machines as follows:

Append to local 'ignore' file, where 'Sanesecurity.Virus.Code.###' is the name of the signature as defined in the "detail=" header of the false-positive:

 echo 'Sanesecurity.Virus.Code.###' >> /var/lib/clamav/local.ign2

Restore ownership of the 'ignore' file to the clamav user:

 chown clamav:clamav /var/lib/clamav/local.ign2

Restart ClamAV:

 /etc/init.d/clamav-daemon force-reload