To allow a specific file use the MD5 signature format and place it inside a database file with the extension of
.fp (for "false positive"). To allow a specific file with the SHA1 or SHA256 file hash signature format, place the signature inside a database file with the extension of
.sfp (for "SHA false positive").
To generate FP or SFP signatures, try something like this...
sigtool --md5 /path/to/false/positive/file >> /path/to/databases/false-positives.fp
sigtool --sha256 /path/to/false/positive/file >> /path/to/databases/false-positives.sfp
Here's an example adding the EICAR test file to an allow list by generating a sha256 false positive signature:
❯ clamscan ~/Downloads/eicar.com /mnt/c/Users/micah/Downloads/eicar.com: Win.Test.EICAR_HDB-1 FOUND ... ❯ sigtool --sha256 ~/Downloads/eicar.com >> /var/lib/clamav/false-positives.sfp ❯ clamscan ~/Downloads/eicar.com /mnt/c/Users/micah/Downloads/eicar.com: OK ...
To ignore a specific signature from the database you just add the signature name into a local file with the
.ign2 extension and store it inside the database directory.
Additionally, you can follow the signature name with the MD5 of the entire database entry for this signature. In such a case, the signature will no longer be ignored when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). E.g:
Historically, signature ignores were added to
.ign files. This format is still functional, though it has been replaced by the
ClamAV may alert on suspicious links with alerts along the lines of "
Heuristics.Phishing.Email.SpoofedDomain". If you encounter a false positive for this kind of detection, you can create an allow list signature.
Allow list signatures for suspicious HTML links are added to the
.wdb phishing signature database. Read the Phishing Signature documentation to learn more.