| .gitignore | Initial commit | |
| LICENSE | Initial commit | |
| README.md | Include a thing saying this isn't associated with ClamAV. | |
fpcheck
fpcheck is not associated with and is not to be confused with FPCheck from Identification International, Inc., a company that seems to do fingerprint checking stuff. The program "fpcheck" in lowercase and provided in this repo is short for "false positive check". fpcheck/false positive check isn't associated with ClamAV, either.
fpcheck may be under the GPLv3+ but does not support or endorse stallman, his enablers, or the US FSF.
Allows checking for a configurable list of files, SHA256 hashes, and maximum expected filesizes to be a false positive before showing a popup if using ClamAV's on-access scanning feature and a script using notify-send on detection as described in the Arch wiki in this section: https://wiki.archlinux.org/title/ClamAV#Creating_notification_popups_for_alerts
You may be thinking this is unnecessary because ClamAV has a way to ignore files, but everything I found only shows using MD5 checksums which are known to be insecure and collisions are possible ( https://crypto.stackexchange.com/questions/1434/are-there-two-known-strings-which-have-the-same-md5-hash-value ). Ideally there should just be a way to use SHA256 sums for ClamAV's file ignore thing. If there is, I'm not aware of it.
The config file will be stored under /etc/fpcheck/fpcheck.conf and will be likely an INI file or a YAML file. Probably YAML file so that each file path can be a key.
Each file path will have a SHA256 checksum specified as a known ok file in addition to expected file sizes in case a file gets replaced or modified by malware to be really big in an attempt to cause a denial of service. In the event a file is larger than a maximum expected size (say, 5 MB for a 1.2 MB file just to give some room for manually updating the checksum next time), then it won't be checked with sha256sum and will be considered significant to notify about as if it didn't match the checksum.
There should be a way to specify that a file should always be ignored, like the LibreOffice templates in /usr if the files change only when updating the system. Probably only allow files to be always ignored if they're in /usr and stuff and not writable by non-root users or something to prevent a chance for a file in a user-writable location to be modified maliciously without anyone knowing.
There needs to be some command options:
--add $filepath (optional: --update-existing)
--check $filepath
--remove $filepath
--update-hashes-unattended
--list
--help
--version
--add will allow adding a file path passed to it and will automatically take the file size and add at least 2 MB for the maximum expected file size. The SHA256 checksum will be acquired from sha256sum and everything will be saved into the config file if it doesn't exist. If it does exist, maybe there should be a thing asking if the existing entry should be updated. There should also be another option to pass called --update-existing if one exists to not ask if we should update an existing one. Requires root permissions like sudo et al.
--check is for checking if a file is a false positive as specified in the config file. The file path will be passed to it. This doesn't require root permissions like with sudo et al, but hopefully there will be a way to read any file owned by any user if necessary, maybe like with the clamonacc thing to allow notify-send to be run as any user, or something (the thing the Arch Wiki describes).
--remove will remove an entry from the config file. Requires root permissions like sudo et al.
--list will output the list of paths and SHA256 sums and stuff in JSON or other formats by passing stuff like --json or --plain-with-spacing
--update-hashes-unattended can be used to update the hashes that are for files like LibreOffice templates in /usr that are allowed to have hashes be updated without having the path re-specified. Useful for running after packages are updated like rkhunter can do if you do something like include it in the pacman post-update hook on Arch, for example. Files that can be updated like this will have to have a thing that says they can be updated automatically, likely AllowUnattendedHashUpdates.
--help will show the available commands.
--version will show the program version.