[sanesecurity] Re: Deletion of local.ign
- From: CLEMENT Francis <fclement@xxxxxxxxxxxxxxxx>
- To: "'sanesecurity@xxxxxxxxxxxxx'" <sanesecurity@xxxxxxxxxxxxx>
- Date: Wed, 20 May 2009 15:37:12 +0200
>-----Message d'origine-----
>De : sanesecurity-bounce@xxxxxxxxxxxxx
>[mailto:sanesecurity-bounce@xxxxxxxxxxxxx]De la part de Bill Landry
>Envoyé : mercredi 20 mai 2009 15:31
>À : sanesecurity@xxxxxxxxxxxxx
>Objet : [sanesecurity] Re: Deletion of local.ign
>
>
>Steve Basford wrote:
>>> The local.ign entries are really meant to be a very
>short-term option to
>>> bypass a signature until the signature writer can either modify the
>>> signature or remove it from the particular signature database.
>>
>> Hi Bill,
>>
>> Most of the Sanesecurity signatures have a static ref.
>number, apart from
>> the jurlbl(a).ndb and spear.ndb databases, which will
>change, as they are
>> dynamically produced.
>
>BTW, Steve, what happens if you remove, for example, a signature from
>junk.ndb at line 50 due to it causing too many false-positives? If
>junk.ndb contains 1000 signatures (again, just an example),
>doesn't that
>change the "ref. number", which is really the "line number" as I
>recently leaned from reviewing the ClamAV webinar on signature making.
>
>Thus, if the signature "line" does not match the actual signature
>placement in the database file, even if everything else
>matches, it will
>not whitelist the signature.
>
>Thus, if a *.ign entry looks like this:
>
> winnow_spam_complete.ndb:24:winnow.spam.ts.xmailer.hc.8
>
>but "winnow.spam.ts.xmailer.hc.8" no longer resides at line 24, even
>though the signature name is still in the database, and still matches
>the name exactly, if ClamAV does not find this signature name
>exactly at
>line 24 in the database, it will not bypass the signature.
>
>I was surprised by this when I watched the webinar, so that's why I
>consider an local.ign entry to be very short-lived.
>
>Bill
>
Strange method to 'index' on line number :-/
Did you ask Clam Team about this problem ?
Other related posts:
