Ignore scan-abort ClamAV findings based on configuration #721
Description
Context / Motivation
As explained here, ClamAV will abort scans upon files exceeding its configured size-limit (cannot be configured to > than 4 GiB). This also happens if ClamAV detects (bogus or real) zip-headers proclaiming such large contained files (in which case it will skip scanning and not try to uncompress). Malware-Extension will currently report such findings as malware-findings (marked as pseudo-malware via naming-convention).
We have observed in the past years, that such bogus headers are found quite frequently in ELF-binaries built w/ golang-compilertoolchain, which causes annoying noise of false-positive alerts.
Implementation Proposal
Make malware-scanning-extension configurable such that it is possible to configure different policies based on rules:
- matchers:
- by ocm-coordinates / attributes (in particular: resource-relation == local vs external)
- by malware-name(s) (ideally use regular expressions)
- by mimetype (e.g. only apply for ELF-binaries)
- policies:
- rescore (e.g. to "false-positive" / "ignored")
- ignore (do not report at all) (?)