Bugzilla – Bug 11896
Whitelisted file is counted as "infected" in clamscan summary
Last modified: 2017-08-24 16:38:35 EDT
From the clamav-users list: Mark Allan <markjallan@gmail.com> Aug 12 (2 days ago) to ClamAV, ClamAV Hi all [...] It's part of Adobe Acrobat and is showing up as Heuristic.PDF.TooManyFilters. Now the bug-report part. I added the relevant line to a local FP file exclude.fp in the clamav database directory, and it correctly prevents the file from reporting as being infected, however the summary still shows "1 infected file". $ clamscan ~/Desktop/temp/PDFSigQFormalRep.pdf ----------- SCAN SUMMARY ----------- Known viruses: 7305825 Engine version: 0.99.3-beta1 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.22 MB Data read: 0.45 MB (ratio 0.49:1) Time: 21.459 sec (0 m 21 s) Cheers
possible to mark it whitelisted ?
Created attachment 7288 [details] The file reporting Heuristic.PDF.TooManyFilters Attached is the file referred to in the original report.
Benny, No it's not possible to whitelist it properly. If I add it to either an .fp or .sfp whitelist file, I get the output as in the original report - no filename output, but it's still included in the "Infected Files" count in the summary. Approaching it from the other angle and ignoring the sig via an ign2 file doesn't work either because Heuristic style sigs can't be excluded.
I've added commit 726918859a6b53f8945d611ef0a7217d001b79bb to the internal clam-devel master branch to increase the number of filters allowed before the Heuristic.PDF.TooManyFilters triggers. Additional work still required to verify and understand why a whitelisted file would still be result in an infected file being listed in the summary.
Incorrect infected count fixed in commit 87a6cf95009d42a7f48c9540641f89d170d6d1b1.