First you should run cxs directly against the file and ensure that it is NOT detected by either the fingerprint or virus option:
If it is not detected and you believe it is an exploit, you can
submit the files to us using the --wttw option and we will examine them
to determine whether they should be added to the fingerprint database.
Please do NOT:
1. Send exploits that are detected by cxs using the default options
2. Send exploits that are detected by ClamAV
3. Send excessive numbers of exploit examples
4. Send HTML defacement injections (e.g. iframe injections)
5. Send files unless you are sure they are exploits
Alternatively or in the meantime, you can create your own
fingerprints for them - information is in the cxs documentation under
the option --MD5.
For example, if you have a file called exploit.php that you want to add to the fingerprints, do the following:
You'll get something like this:
Add the following to /etc/cxs/cxs.xtra:
And make sure that you add this to your command line in the cxs
script files that you are using for scanning (cxsftp.sh, cxscgi.sh,
For instance, if your cxs command line in cxscgi.sh is this:
/usr/sbin/cxs --quiet --cgi --smtp --mail root -Q /home/quarantine --qoptions Mv "$1"
You should change it to:
/usr/sbin/cxs --quiet --cgi --smtp --mail root -Q /home/quarantine --qoptions Mv --xtra /etc/cxs/cxs.xtra "$1"
If you are running cxswatch it is best to restart it when you make changes to cxs.xtra or cxs.ignore.