False-positives & false-negatives

bucketAV powered by ClamAV® supports allowlists and blocklists to deal with:

Clean files that are wrongly classified as infected (false-positives).
Infected files that are wrongly classified as clean (false-negatives).

false-positives / allowlist (#)

Ensures that a file is scanned as clean.

Only works with bucketAV powered by ClamAV®. Requires bucketAV powered by ClamAV® version >= 2.4.0. To update to the latest version, follow the Update Guide.

Connect to one of the bucketAV EC2 instances.
Download the file in question: aws s3 cp s3://bucket/path/to/file .
Generate a ClamAV SFP file: sigtool --sha256 file >> false-positives.sfp

Make the file available over http(s) reachable by the Scan Fleet. Possible options:

S3 bucket only accessible from your private VPC. Required the fulfillment option Dedicated Private VPC. Use the following bucket policy to restrict access (replace BUCKET_NAME with the name of the bucket hosting the SFP file, and VPC_ID with the ID of the VPC created by bucketAV):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Principal": "*",
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/false-positives.sfp"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "VPC_ID"
        }
      }
    }
  ]
}

S3 bucket accessible to the public. Use the following bucket policy to make the file publicly accessible (replace BUCKET_NAME with the name of the bucket hosting the SFP file):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/false-positives.sfp"
      ],
      "Principal": "*"
    }
  ]
}

Set the AdditionalDatabaseUrls configuration parameter to the http(s) URL of the SFP file, e.g. https://BUCKET_NAME.s3.REGION.amazonaws.com/false-positives.sfp and replace REGION with your AWS Region (e.g., us-east-1; get the value from the top right in the AWS Management Console).

false-negatives / blocklist (#)

Ensures that a file is scanned as infected.

Only works with bucketAV powered by ClamAV®. Requires bucketAV powered by ClamAV® version >= 2.4.0. To update to the latest version, follow the Update Guide.

Connect to one of the bucketAV EC2 instances.
Download the file in question: aws s3 cp s3://bucket/path/to/file .
Generate a ClamAV HSB file: sigtool --sha256 file > false-negatives.hsb

Make the file available over http(s) reachable by the Scan Fleet. Possible options:

S3 bucket only accessible from your private VPC. Required the fulfillment option Dedicated Private VPC. Use the following bucket policy to restrict access (replace BUCKET_NAME with the name of the bucket hosting the SFP file, and VPC_ID with the ID of the VPC created by bucketAV):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Principal": "*",
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/false-negatives.hsb"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "VPC_ID"
        }
      }
    }
  ]
}

S3 bucket accessible to the public. Use the following bucket policy to make the file publicly accessible (replace BUCKET_NAME with the name of the bucket hosting the SFP file):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/false-negatives.hsb"
      ],
      "Principal": "*"
    }
  ]
}

Set the AdditionalDatabaseUrls configuration parameter to the http(s) URL of the HSB file, e.g. https://BUCKET_NAME.s3.REGION.amazonaws.com/false-negatives.hsb and replace REGION with your AWS Region (e.g., us-east-1; get the value from the top right in the AWS Management Console).

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email