Page 1 of 1

Dealing with false-positives in cxs

Posted: 13 Oct 2009, 09:43
by ForumAdmin
When you run cxs you will invariably encounter false-positives that trigger one or more of the scanning options.

We do not recommend that you simply stop using the option that triggers, rather it would be better to simply ignore the false-positive files using an ignore file as per the documentation.

The best way to generate the ignore file is to create it first, e.g.:

Code: Select all

touch /etc/cxs/cxs.ignore
chmod 644 /etc/cxs/cxs.ignore
Or use the /etc/cxs/cxs.ignore.example file:

Code: Select all

cp /etc/cxs/cxs.ignore.example /etc/cxs/cxs.ignore
chmod 644 /etc/cxs/cxs.ignore
Then you need to populate it. You can either add your ignore file individually with entries such as:

Code: Select all

Or, you can generate ignore file entries using the scan report as input. You can generate the report file when you run a scan using the --report option, or you can save the output from the scan into a file on disk (e.g. if you received it only in an email), e.g. to cxs.scan. Using this as an example, you can then use the --generate option to append entries to your ignore file:

(Note: remember to remove all entries in the scan report that you do not want in the ignore file first)

Code: Select all

cxs --generate --report cxs.scan --ignore /etc/cxs/cxs.ignore
If you now look in cxs.ignore you should see ignore lines for each item found in the scan report. Make sure you use the --ignore /etc/cxs/cxs.ignore (or whatever you called your ignore file) in all future scans.

You should be very careful when using an ignore file about listing directories to ignore as this will stop cxs scanning the directory and its contents which might not be what you intend.