Like other anti-virus programs I’ve used, CIS Anti-Virus can only be told to Ignore files (false positives) by path, which seems both dangerous and inflexible to me:
If an Ignored file subsequently gets infected, then that change and infection won’t be detected and reported (effectively becoming a false negative).
If an Ignored file is copied or moved someplace else, then a false positive may again be reported.
I would like a Whitelist function, perhaps based on SHA hash of a file, that would detect and report any change to an Ignored file, and would still Whitelist an Ignored file that’s copied or moved to a different path.
Associating the infected file with a specific infection would be nice…
or maby using the SHA hash as you suggested, so you get a notice if it gets infected again.
Yes, please! This is much better from a security and usability standpoint than whitelisting based on the path and name, which is an easy way for real malware to hide and false positives to be reported every time they are copied, moved, renamed, or zipped up. One suggestion – because computing hashes can be CPU-intensive, the whitelist should also contain the file size for each hash. Then CIS only has to compute the hash of the suspect file if it first matches by size.