[sanesecurity] Re: Deletion of local.ign
- From: Bill Landry <bill@xxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Wed, 20 May 2009 06:10:30 -0700
Steve Basford wrote:
>> The local.ign entries are really meant to be a very short-term option to
>> bypass a signature until the signature writer can either modify the
>> signature or remove it from the particular signature database.
>
> Hi Bill,
>
> Most of the Sanesecurity signatures have a static ref. number, apart from
> the jurlbl(a).ndb and spear.ndb databases, which will change, as they are
> dynamically produced.
>
> As an extra note, the local.ign can also whitelist official signatures too.
>
> For example, I've have an FP in main.cvd, which I whitelisted in a
> local.ign file.
Better to use daily.ign for whitelisting official signatures.
> As the main.cvd file doesn't get updated that often.. you'd want to keep a
> local.ign file for more than 24hrs.
Again, better to use daily.ign for these. I consider local.ign to be
used only for third-party (unofficial) clamav signatures, but that may
just be me.
> For me, there should be an option to remove the local.ign file (default:
> off) and then perhaps a configurable time frame, when the setting is set
> to on.
>
> Certainly worth bringing up the issue though..
Yep, I'll wait to see what others think...
Thanks,
Bill
Other related posts:
