>-----Message d'origine----- >De : sanesecurity-bounce@xxxxxxxxxxxxx >[mailto:sanesecurity-bounce@xxxxxxxxxxxxx]De la part de Bill Landry >Envoyé : mercredi 20 mai 2009 15:31 >À : sanesecurity@xxxxxxxxxxxxx >Objet : [sanesecurity] Re: Deletion of local.ign > > >Steve Basford wrote: >>> The local.ign entries are really meant to be a very >short-term option to >>> bypass a signature until the signature writer can either modify the >>> signature or remove it from the particular signature database. >> >> Hi Bill, >> >> Most of the Sanesecurity signatures have a static ref. >number, apart from >> the jurlbl(a).ndb and spear.ndb databases, which will >change, as they are >> dynamically produced. > >BTW, Steve, what happens if you remove, for example, a signature from >junk.ndb at line 50 due to it causing too many false-positives? If >junk.ndb contains 1000 signatures (again, just an example), >doesn't that >change the "ref. number", which is really the "line number" as I >recently leaned from reviewing the ClamAV webinar on signature making. > >Thus, if the signature "line" does not match the actual signature >placement in the database file, even if everything else >matches, it will >not whitelist the signature. > >Thus, if a *.ign entry looks like this: > > winnow_spam_complete.ndb:24:winnow.spam.ts.xmailer.hc.8 > >but "winnow.spam.ts.xmailer.hc.8" no longer resides at line 24, even >though the signature name is still in the database, and still matches >the name exactly, if ClamAV does not find this signature name >exactly at >line 24 in the database, it will not bypass the signature. > >I was surprised by this when I watched the webinar, so that's why I >consider an local.ign entry to be very short-lived. > >Bill > Strange method to 'index' on line number :-/ Did you ask Clam Team about this problem ?