Whitelisting by signature (hash) of false positives

Like other anti-virus programs I’ve used, CIS Anti-Virus can only be told to Ignore files (false positives) by path, which seems both dangerous and inflexible to me:

  • If an Ignored file subsequently gets infected, then that change and infection won’t be detected and reported (effectively becoming a false negative).
  • If an Ignored file is copied or moved someplace else, then a false positive may again be reported.

I would like a Whitelist function, perhaps based on SHA hash of a file, that would detect and report any change to an Ignored file, and would still Whitelist an Ignored file that’s copied or moved to a different path.

Thanks for listening and for CIS!

+1 (:CLP)

Associating the infected file with a specific infection would be nice…
or maby using the SHA hash as you suggested, so you get a notice if it gets infected again.

I like this idea :-TU, especially if CIS AV could be configured so that whenever it gets a malware signature update, it would automatically:

  • rescan all Ignored (whitelisted) files that had been detected as infected (false positives)
  • report (in Advanced Mode) any such files that were no longer detected as having the same infection
  • offer to remove from the Ignore list any files that it no longer detected as having any infection

I like the idea so much that I’m adding it as a separate Wish!



+10 monkey boy and john.

Two good ideas merge into an even better one.

Keep 'em coming.

Ewen :slight_smile:

I’m in. Whitelisting is a great extra protection method

I’m in

Yes, please! This is much better from a security and usability standpoint than whitelisting based on the path and name, which is an easy way for real malware to hide and false positives to be reported every time they are copied, moved, renamed, or zipped up. One suggestion – because computing hashes can be CPU-intensive, the whitelist should also contain the file size for each hash. Then CIS only has to compute the hash of the suspect file if it first matches by size.