False-positives & false-negatives
bucketAV powered by ClamAV® supports allowlists and blocklists to deal with:
- Clean files that are wrongly classified as infected (false-positives).
- Infected files that are wrongly classified as clean (false-negatives).
false-positives / allowlist (#)
Ensures that a file is scanned as clean.
This feature is only available for bucketAV powered by ClamAV®!
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.4.0.
To update to the latest version, follow the Update Guide.
- Connect to one of the bucketAV EC2 instances.
- Download the file in question:
aws s3 cp s3://bucket/path/to/file .
- Generate a ClamAV SFP file:
sigtool --sha256 file >> false-positives.sfp
- Make the file available over http(s) reachable by the Scan Fleet. Possible options:
- S3 bucket only accessible from your private VPC. Required the fulfillment option Dedicated Private VPC. Use the following bucket policy to restrict access (replace
BUCKET_NAME
with the name of the bucket hosting the SFP file, andVPC_ID
with the ID of the VPC created by bucketAV):
{ "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME/false-positives.sfp" ], "Condition": { "StringEquals": { "aws:SourceVpc": "VPC_ID" } } } ] }
- S3 bucket accessible to the public. Use the following bucket policy to make the file publicly accessible (replace
BUCKET_NAME
with the name of the bucket hosting the SFP file):
{ "Version": "2012-10-17", "Statement": [ { "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME/false-positives.sfp" ], "Principal": "*" } ] }
- S3 bucket only accessible from your private VPC. Required the fulfillment option Dedicated Private VPC. Use the following bucket policy to restrict access (replace
- Set the AdditionalDatabaseUrls configuration parameter to the http(s) URL of the SFP file, e.g.
https://BUCKET_NAME.s3.REGION.amazonaws.com/false-positives.sfp
and replaceREGION
with your AWS Region (e.g.,us-east-1
; get the value from the top right in the AWS Management Console).
false-negatives / blocklist (#)
Ensures that a file is scanned as infected.
This feature is only available for bucketAV powered by ClamAV®!
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.4.0.
To update to the latest version, follow the Update Guide.
- Connect to one of the bucketAV EC2 instances.
- Download the file in question:
aws s3 cp s3://bucket/path/to/file .
- Generate a ClamAV HSB file:
sigtool --sha256 file > false-negatives.hsb
- Make the file available over http(s) reachable by the Scan Fleet. Possible options:
- S3 bucket only accessible from your private VPC. Required the fulfillment option Dedicated Private VPC. Use the following bucket policy to restrict access (replace
BUCKET_NAME
with the name of the bucket hosting the SFP file, andVPC_ID
with the ID of the VPC created by bucketAV):
{ "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME/false-negatives.hsb" ], "Condition": { "StringEquals": { "aws:SourceVpc": "VPC_ID" } } } ] }
- S3 bucket accessible to the public. Use the following bucket policy to make the file publicly accessible (replace
BUCKET_NAME
with the name of the bucket hosting the SFP file):
{ "Version": "2012-10-17", "Statement": [ { "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME/false-negatives.hsb" ], "Principal": "*" } ] }
- S3 bucket only accessible from your private VPC. Required the fulfillment option Dedicated Private VPC. Use the following bucket policy to restrict access (replace
- Set the AdditionalDatabaseUrls configuration parameter to the http(s) URL of the HSB file, e.g.
https://BUCKET_NAME.s3.REGION.amazonaws.com/false-negatives.hsb
and replaceREGION
with your AWS Region (e.g.,us-east-1
; get the value from the top right in the AWS Management Console).