clamav-users March 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] ClamAV 0.95rc2 - 1159852 signat

Re: [Clamav-users] ClamAV 0.95rc2 - 1159852 signatures vs sigtool reporting 696491

From: Török Edwin <edwintorok_at_nospam>
Date: Tue Mar 24 2009 - 15:07:53 GMT
To: ClamAV users ML <>

On 2009-03-24 17:04, Bill Landry wrote:
> Török Edwin wrote:
>> For whitelisting you can use either:
>> X:(.+\.)?[/?].*)?:(.+\.)?[/?].*)?
>> Or this one (but it will also whitelist URL mismatches from to
>> anything, not recommended):
>> X:(.+\.)?[/?].*)?:.+
>> Or any other regular expression that whitelists what you want, the
>> format is described in docs/phishsigs_howto.pdf,
>> in this case it is: X:RealURL:DisplayedURL
> Ok, I've reviewed the phishsigs_howto.pdf, but have failed in my efforts
> to create a whitelist entry based on the hash

"whitelist entry based on hash = per-entry whitelisting" I was referring to below, that will be in 0.95.1

> (rather than using a
> regular expression).

The only way (for now) is to use a regular expression.

> Here are the relevant lines from --debug output:
> ===
> LibClamAV debug: Phishcheck:Checking url</a->
> LibClamAV debug: Looking up hash
> 5B07A56EB8269FE807FE55828D69A56135A1E43B1CDD96432AC5DDFC75251142 for
> LibClamAV debug: Looking up hash
> F5B73C1339C8C9B2B9537F129D63F4ECA16E0346819FB417E643CDA7B9EFA09A for
> LibClamAV debug: prefix matched
> LibClamAV debug: Hash matched for:</a
> LibClamAV debug: Phishcheck:URL after cleanup:>
> LibClamAV debug: Displayed 'url' is not url:
> LibClamAV debug: Phishing: looking up in whitelist:;
> host-only:0
> LibClamAV debug: Looking up in regex_list:
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: Blacklisted
> LibClamAV debug: found Possibly Unwanted:
> ===
> Can you show me what a valid hash whitelist entry in local.wdb might
> look like for this hash?

For 0.95.1 I was thinking about something like this (not yet implemented): S:X:F5B73C1339C8C9B2B9537F129D63F4ECA16E0346819FB417E643CDA7B9EFA09A Best regards,

Help us build a comprehensive ClamAV guide: visit