False-positives & false-negatives

bucketAV powered by ClamAV® supports allowlists and blocklists to deal with:

false-positives / allowlist (#)

Ensures that a file is scanned as clean.

This feature is only available for bucketAV powered by ClamAV®!

Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.4.0.
To update to the latest version, follow the Update Guide.

  1. Connect to one of the bucketAV EC2 instances.
  2. Download the file in question: aws s3 cp s3://bucket/path/to/file .
  3. Generate a ClamAV SFP file: sigtool --sha256 file >> false-positives.sfp
  4. Make the file available over http(s) reachable by the Scan Fleet. Possible options:
    1. S3 bucket only accessible from your private VPC. Required the fulfillment option Dedicated Private VPC. Use the following bucket policy to restrict access (replace BUCKET_NAME with the name of the bucket hosting the SFP file, and VPC_ID with the ID of the VPC created by bucketAV):
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Principal": "*",
          "Action": "s3:GetObject",
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::BUCKET_NAME/false-positives.sfp"
          ],
          "Condition": {
            "StringEquals": {
              "aws:SourceVpc": "VPC_ID"
            }
          }
        }
      ]
    }
    
    1. S3 bucket accessible to the public. Use the following bucket policy to make the file publicly accessible (replace BUCKET_NAME with the name of the bucket hosting the SFP file):
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "s3:GetObject",
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::BUCKET_NAME/false-positives.sfp"
          ],
          "Principal": "*"
        }
      ]
    }
    
  5. Set the AdditionalDatabaseUrls configuration parameter to the http(s) URL of the SFP file, e.g. https://BUCKET_NAME.s3.REGION.amazonaws.com/false-positives.sfp and replace REGION with your AWS Region (e.g., us-east-1; get the value from the top right in the AWS Management Console).

false-negatives / blocklist (#)

Ensures that a file is scanned as infected.

This feature is only available for bucketAV powered by ClamAV®!

Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.4.0.
To update to the latest version, follow the Update Guide.

  1. Connect to one of the bucketAV EC2 instances.
  2. Download the file in question: aws s3 cp s3://bucket/path/to/file .
  3. Generate a ClamAV HSB file: sigtool --sha256 file > false-negatives.hsb
  4. Make the file available over http(s) reachable by the Scan Fleet. Possible options:
    1. S3 bucket only accessible from your private VPC. Required the fulfillment option Dedicated Private VPC. Use the following bucket policy to restrict access (replace BUCKET_NAME with the name of the bucket hosting the SFP file, and VPC_ID with the ID of the VPC created by bucketAV):
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Principal": "*",
          "Action": "s3:GetObject",
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::BUCKET_NAME/false-negatives.hsb"
          ],
          "Condition": {
            "StringEquals": {
              "aws:SourceVpc": "VPC_ID"
            }
          }
        }
      ]
    }
    
    1. S3 bucket accessible to the public. Use the following bucket policy to make the file publicly accessible (replace BUCKET_NAME with the name of the bucket hosting the SFP file):
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "s3:GetObject",
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::BUCKET_NAME/false-negatives.hsb"
          ],
          "Principal": "*"
        }
      ]
    }
    
  5. Set the AdditionalDatabaseUrls configuration parameter to the http(s) URL of the HSB file, e.g. https://BUCKET_NAME.s3.REGION.amazonaws.com/false-negatives.hsb and replace REGION with your AWS Region (e.g., us-east-1; get the value from the top right in the AWS Management Console).

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email