#15 Suspscan - Allow whitelisting of specific files/directories

closed
unSpawn
Rkhunter (37)
5
2007-11-25
2007-10-25
Arthur Dent
No

There is at present no method to whitelist specific files / directories from the Suspcan suspicious files check.

I use clamav antivirus together with the Sane security plugin which, when called from clamassassin, scans my emails.

The Sane Security plugin seems to need to create two working log files in /var/tmp. These two files are reported as suspicious (score 230) by Suspscan.

Warning: File '/var/tmp/clamdb/SCAM-UpdateSession.log' (score: 230) contains some suspicious content and should be checked.
Warning: File '/var/tmp/clamdb/PHISH-UpdateSession.log' (score: 230) contains some suspicious content and should be checked.

I am reasonably satisfied that these files are legitimate (unless you can tell me otherwise) and would like to exclude them from the scan. It would be good therefore to be able to whitelist these two known and specific files.

Thank you for a great product.

AD

Discussion

  • unSpawn
    unSpawn
    2007-11-10

    Logged In: YES
    user_id=600864
    Originator: NO

    AFAIK these are logs only related to *updating* Sane Security databases, right? Suspscan operates on the premise that scanned directories like /tmp and /var/tmp only contain volatile, expendable items. Next to that whitelisting suspscan items would be abused easily since there most likely is no other checking mechanism in place for the contents of those dirs like antivirus on-access scanning (mind you, not that suspscan is more than a kludge).

    I would argue it would be "better" to move the logs to where logs are stored regularly (LFS: /var/log) by editing your download script or regularly removing the logs with tmpwatch or equivalent.

    Let me know if you disagree.

     
  • unSpawn
    unSpawn
    2007-11-10

    • assigned_to: nobody --> unspawn
    • status: open --> pending
     
    • status: pending --> closed
     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).