clamav-users January 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: [clamav-users] False positive - CRDF.Malware-Gener

[clamav-users] False positive - CRDF.Malware-Generic.3661413036.UNOFFICIAL

From: Tomala Pawel <Pawel.Tomala_at_nospam>
Date: Tue Jan 14 2014 - 12:53:20 GMT
To: "" <>


I found a problem with false positive malware CRDF.Malware-Generic.3661413036.UNOFFICIAL. I wanted to decode and bypass this signature but it looks like this can be an image signature or another type of signature

/usr/local/sbin/ -d

Input a third-party signature name to decode (e.g: Sanesecurity.Junk.15248) or
a hexadecimal encoded data string and press enter (do not include '.UNOFFICIAL'
in the signature name nor add quote marks to any input string):


Signature 'CRDF.Malware-Generic.3661413036' could not be found.

This script will only decode ClamAV 'UNOFFICIAL' third-Party,
non-image based, signatures as found in the *.ndb databases.

Finally I found where this signature is located

/var/lib/clamav/clamav-unofficial-sigs/ss-dbs# grep CRDF.Malware-Generic.3661413036 *
/var/lib/clamav/clamav-unofficial-sigs/ss-dbs# ls -la sigwhitelist.ign2*
-rw-r--r-- 1 clamav clamav 4598 Jan 14 10:33 sigwhitelist.ign2
-rw-r--r-- 1 clamav clamav 72 Jan 14 10:33 sigwhitelist.ign2.sig

Does someone know how can I bypass this signature? Which command?

Thanks in advance!


Help us build a comprehensive ClamAV guide: