Every time I have to look up how to do this, I have to wade through the internet ignoring suggestions by folks trying to be helpful and suggesting whitelisting a virus, rather than whitelisting a detection.
There is a distinction between the two, and these instructions are for the (far more specific) latter. If the file contents changes, it is renamed, or it’s file size changed, it will no longer match the whitelist and will again be subject to ClamAV’s scrutiny. Thus, you can be assured that adding a file signature whitelist entry this way will not leave you vulnerable to other (maybe valid) detections of the same detected infection.
If you had gone the other way and, say, whitelisted Win.Trojan.Agent-1702043 itself, you would then be vulnerable to any real infections of that classification. It should be self-evident why that is undesirable.
Before you do anything you must be certain the detected file as actually benign. Perhaps the file is one of your own creation, or it’s digital signature from the vendor is intact (and you trust said vendor)? Maybe you submitted it to something like virustotal and found that ClamAV was one of only a small handful (or perhaps the only one) that is flagging as infected. However you do this, though, you should be reasonably certain.
You need several bits of information on the file to whitelist it:
foo.bar.exe → foo.bar)If you don’t have a Submission ID, it’s safe to use a 6 digit number. I recommend using a date code in the format YYMMDD. If you don’t know the location of the local ClamAV virus database, search your system for main.cvd, daily.cld, and/or bytecode.cld. You can also check your current ClamAV (or freshclam/clamd) configuration, if you know where those are - they’ll contain entries pointing to the database files.
You need to edit (you probably need to create it) sigfile.fp in the same directory that contains the other virus database files (see prior section). The format is (one entry per line) as such: MD5:SIZE:ID_NAME and the file should be plain text with the appropriate line endings for your system. Note that the detected infection is not a part of this specification, only items that specifically identify the file. Also don’t forget to leave off the file extension!
As soon as you save this file, you’re done. It’s a good idea to rescan a detected file to ensure you got it in there correctly (it should pass, now). It also may be a good idea to also scan an EICAR test file to ensure ClamAV is still functional (never hurts to be sure!).
Here are some example whitelist entries I’ve had to add in the past. There’s sometimes a period of time after a new contributor to ClamAV jumps on board where signatures are overly broad, and most of this example file stems from such a period. I highly recommend that you do not use my whitelist below - I am sharing this only as a syntax example. You should only ever add a whitelist entry in response to a false detection. Never blindly add whitelist items from the internet.
690ec676a2f43b512ebf9f5fc347da2e:398248:160206_uninstall
ba539cdb3add086b458ec9f553689afd:69834:160206_uninstall
929b7d846b635959201e30b57190284a:915920:160206_WinPcap_4_1_2
ef90086405ce33b810a5e57f59f206d1:187752:160206_uninstall
ca9a97f36c096f79cc209c8685f24e5a:119890:160206_Uninstall
55b8e85efd9731d7b9d5f5f7e4de5a2d:4151536:160206_ir053
1b3c049975cff9ce08ef9687b6ba1a29:13642474:160220_Proof
db48eca546fedd91e2ddcad6bf0c3838:10580992:161001_System.Design.ni
The information, views, and opinions published on this website were done so in the author's personal capacity. The information, views, and opinions expressed in this article are the author's own and do not reflect the view of their employer, or any other entity unless explicitly stated otherwise.
All data and information provided on this site is for informational purposes only. This website and it's operators makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.
All original content on this website is, unless explicitly stated otherwise, licensed under the MIT license. Full license text is available here. Non-original content that is included on this website in whole or in part, linked, or otherwise made available remains under copyright of the original owners.