clamav-users January 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: [clamav-users] False positive - CRDF.Malware-Gener

[clamav-users] False positive - CRDF.Malware-Generic.3661413036.UNOFFICIAL

From: Tomala Pawel <Pawel.Tomala_at_nospam>
Date: Tue Jan 14 2014 - 12:53:20 GMT
To: "clamav-users-bounces@lists.clamav.net" <clamav-users-bounces@lists.clamav.net>

Hello,

I found a problem with false positive malware CRDF.Malware-Generic.3661413036.UNOFFICIAL. I wanted to decode and bypass this signature but it looks like this can be an image signature or another type of signature

/usr/local/sbin/clamav-unofficial-sigs.sh -d

Input a third-party signature name to decode (e.g: Sanesecurity.Junk.15248) or
a hexadecimal encoded data string and press enter (do not include '.UNOFFICIAL'
in the signature name nor add quote marks to any input string):

CRDF.Malware-Generic.3661413036

Signature 'CRDF.Malware-Generic.3661413036' could not be found.

This script will only decode ClamAV 'UNOFFICIAL' third-Party,
non-image based, signatures as found in the *.ndb databases.

Finally I found where this signature is located

/var/lib/clamav/clamav-unofficial-sigs/ss-dbs#
/var/lib/clamav/clamav-unofficial-sigs/ss-dbs# grep CRDF.Malware-Generic.3661413036 *
sigwhitelist.ign2:CRDF.Malware-Generic.3661413036
/var/lib/clamav/clamav-unofficial-sigs/ss-dbs# ls -la sigwhitelist.ign2*
-rw-r--r-- 1 clamav clamav 4598 Jan 14 10:33 sigwhitelist.ign2
-rw-r--r-- 1 clamav clamav 72 Jan 14 10:33 sigwhitelist.ign2.sig

Does someone know how can I bypass this signature? Which command?

Thanks in advance!

Pawel

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml