ClamAV: Whitelisting Files

Posted on October 1, 2016

Front Matter

Every time I have to look up how to do this, I have to wade through the internet ignoring suggestions by folks trying to be helpful and suggesting whitelisting a virus, rather than whitelisting a detection.

There is a distinction between the two, and these instructions are for the (far more specific) latter. If the file contents changes, it is renamed, or it’s file size changed, it will no longer match the whitelist and will again be subject to ClamAV’s scrutiny. Thus, you can be assured that adding a file signature whitelist entry this way will not leave you vulnerable to other (maybe valid) detections of the same detected infection.

If you had gone the other way and, say, whitelisted Win.Trojan.Agent-1702043 itself, you would then be vulnerable to any real infections of that classification. It should be self-evident why that is undesirable.

Is it a false positive?

Before you do anything you must be certain the detected file as actually benign. Perhaps the file is one of your own creation, or it’s digital signature from the vendor is intact (and you trust said vendor)? Maybe you submitted it to something like virustotal and found that ClamAV was one of only a small handful (or perhaps the only one) that is flagging as infected. However you do this, though, you should be reasonably certain.

Right, I’m sure. What do I need?

You need several bits of information on the file to whitelist it:

  • MD5 sum
  • File size in bytes
  • Submission ID (you probably don’t have this, see below)
  • File name with last extension trimmed off (eg →
  • Location of your local ClamAV virus database files

If you don’t have a Submission ID, it’s safe to use a 6 digit number. I recommend using a date code in the format YYMMDD. If you don’t know the location of the local ClamAV virus database, search your system for main.cvd, daily.cld, and/or bytecode.cld. You can also check your current ClamAV (or freshclam/clamd) configuration, if you know where those are - they’ll contain entries pointing to the database files.

Adding the whitelist entry

You need to edit (you probably need to create it) sigfile.fp in the same directory that contains the other virus database files (see prior section). The format is (one entry per line) as such: MD5:SIZE:ID_NAME and the file should be plain text with the appropriate line endings for your system. Note that the detected infection is not a part of this specification, only items that specifically identify the file. Also don’t forget to leave off the file extension!

As soon as you save this file, you’re done. It’s a good idea to rescan a detected file to ensure you got it in there correctly (it should pass, now). It also may be a good idea to also scan an EICAR test file to ensure ClamAV is still functional (never hurts to be sure!).


Here are some example whitelist entries I’ve had to add in the past. There’s sometimes a period of time after a new contributor to ClamAV jumps on board where signatures are overly broad, and most of this example file stems from such a period. I highly recommend that you do not use my whitelist below - I am sharing this only as a syntax example. You should only ever add a whitelist entry in response to a false detection. Never blindly add whitelist items from the internet.


The information, views, and opinions published on this website were done so in the author's personal capacity. The information, views, and opinions expressed in this article are the author's own and do not reflect the view of their employer, or any other entity unless explicitly stated otherwise.

All data and information provided on this site is for informational purposes only. This website and it's operators makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

All original content on this website is, unless explicitly stated otherwise, licensed under the MIT license. Full license text is available here. Non-original content that is included on this website in whole or in part, linked, or otherwise made available remains under copyright of the original owners.