Mailing List Archive

On 22 July 2022 10:15:27 Thomas Barth via clamav-users
<clamav-users@lists.clamav.net> wrote:

> Hello,
>
> I use ClamAV unofficial signatures and it seems that I get a false
> positiv, I m not sure. A known person with a gmail-address and MS
> Outlook 16.0 X-Mailer tries to send me a mail with a link to google docs
> (Google Sheets) and Amavis refuses to accept this mail. I scanned this
> file in the quarantaine again and I get the detection again and some
> other errors.
>
> [more yyerror() ]
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11389
> duplicate identifier "zeroaccess_js4"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11414
> duplicate identifier "zerox88_js2"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11444
> duplicate identifier "zerox88_js3"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11472
> duplicate identifier "zeus_js"
> LibClamAV Warning: load_oneyara: yara rule contains too many subsigs
> (1019, max: 64), skipping YARA.Backdoor_PHP_WPVCD_TempExecution
> LibClamAV Warning: cli_loadyara: failed to parse or load 70 yara rules
> from file /var/lib/clamav/rfxn.yara, successfully loaded 713 rules.
> /root/virusmail.txt: MBL_162693783.UNOFFICIAL FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 12844114
> Engine version: 0.103.6
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.01 MB (ratio 0.00:1)
> Time: 61.839 sec (1 m 1 s)
> Start Date: 2022:07:22 10:59:19
> End Date: 2022:07:22 11:00:21
>
> I opened the file in the console. It s a multipart message, it contains
> the text and the typical ms html part of the message. I can't see where
> the danger lurks.
>
> Any suggestions what I can do?
>
> Thomas B

Hi Thomas,

The yara rule errors are due to the ClamAV's built in yara engine not fully
understanding the yara files.

The MBL_162693783 sig is the once to check.

If you used sigtool to decode the sig you'll see what it's looking for.

Mbl used to block Google docs links... so maybe that's why.

If you need to you can put the signature name in a ignore. ign2 file and
reload clamd but only do this once you have see the sig decode.

Cheers,

Steve
Twitter: @sanesecuritySanesecurity.com

Hi,
after checking the decoded signature I tried to whitelist the signature
as described on your website

https://www.securiteinfo.com/services-cybersecurite/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml

One line of the decoded sig was like DECODED SIGNATURE: d o c s . g o o
g l e . c o m
(added spaces because the mail is beeing refused when it just contains
that domain name)

Google docs under general suspicion :-)

After restarting the clamav-daemon it has found another MBL_xxxxxxxxx
with the same decoded signature. I dont know how many virus names for
that domain exist. Because it can take up to a minute to check the
"virusmail" (cpu too slow?) So I better ask again if I really do have to
whitelist all the virus names one by one.


Thomas B
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi there,

On Fri, 22 Jul 2022, Thomas Barth via clamav-users wrote:

> I use ClamAV unofficial signatures and it seems that I get a false positiv ...

I think you're probably right, but to get a dozen or so other opinions
you can submit the file to VirusTotal or Jotti's Malware Scan:

https://www.virustotal.com
https://virusscan.jotti.org

> ... and some other errors.
>
> [more yyerror() ]
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11389 duplicate
> identifier "zeroaccess_js4"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11414 duplicate
> identifier "zerox88_js2"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11444 duplicate
> identifier "zerox88_js3"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11472 duplicate
> identifier "zeus_js"
> LibClamAV Warning: load_oneyara: yara rule contains too many subsigs (1019,
> max: 64), skipping YARA.Backdoor_PHP_WPVCD_TempExecution
> LibClamAV Warning: cli_loadyara: failed to parse or load 70 yara rules from
> file /var/lib/clamav/rfxn.yara, successfully loaded 713 rules.

I've seen more than one version of the rfxn.yara signature file.

Having said that I don't see the problem that you've found. In case
it helps you, here's the directory listing and md5sum of the file
currently in use here. It's pretty old, and I can't say that I've
noticed very many useful detections from it.

8<----------------------------------------------------------------------
Downloaded from https://cdn.rfxn.com/downloads/maldet-sigpack.tgz:

$ ls -l rfxn.yara ; md5sum rfxn.yara ; grep ^rule rfxn.yara | wc -l
-rw-r--r-- 1 clamav clamav 410441 Aug 17 2020 rfxn.yara
c8303441af0e8fac43cea4d8fb3dc5f7 rfxn.yara
783
$
8<----------------------------------------------------------------------

There's a 'current' version on the 'www' site which is even older:

8<----------------------------------------------------------------------
Downloaded from http://www.rfxn.com/downloads/maldetect-current.tar.gz:

$ ls -l rfxn.yara ; md5sum rfxn.yara ; grep ^rule rfxn.yara | wc -l
-rw-r--r-- 1 clamav clamav 408598 Jul 4 2019 rfxn.yara
25a92fee1f45b81cfa8ba98cf1bc8e3e rfxn.yara
777
$
8<----------------------------------------------------------------------

To the best of my knowlege I've had no response from the author when
I've tried to contact him.

Where did you get your copy from? Check that it isn't damaged, if it
is I suggest that you move it out of your ClamAV signature directory
and try another copy.

> /root/virusmail.txt: MBL_162693783.UNOFFICIAL FOUND

I haven't used malwarepatrol since 2013 so I can't help with that signature.

Are you sure you want to do all this with root permissions? :)

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi there,

On Fri, 22 Jul 2022, Thomas Barth via clamav-users wrote:

> ...
> Google docs under general suspicion :-)
> ...

Correct. :)

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi!


Am 2022-07-22 13:31, schrieb G.W. Haywood via clamav-users:
> Having said that I don't see the problem that you've found. In case
> it helps you, here's the directory listing and md5sum of the file
> currently in use here. It's pretty old, and I can't say that I've
> noticed very many useful detections from it.
>
> 8<----------------------------------------------------------------------
> Downloaded from https://cdn.rfxn.com/downloads/maldet-sigpack.tgz:
>
> $ ls -l rfxn.yara ; md5sum rfxn.yara ; grep ^rule rfxn.yara | wc -l
> -rw-r--r-- 1 clamav clamav 410441 Aug 17 2020 rfxn.yara
> c8303441af0e8fac43cea4d8fb3dc5f7 rfxn.yara
> 783
> $

I already have the latest rfxn.yara version compared to your file. I get
the same output

ls -al /var/lib/clamav/rfxn.yara
-rw-r--r-- 1 clamav clamav 410441 Aug 17 2020 /var/lib/clamav/rfxn.yara


> Where did you get your copy from? Check that it isn't damaged, if it
> is I suggest that you move it out of your ClamAV signature directory
> and try another copy.


I use clamav-unofficial maintained by eXtremeSHOK
https://github.com/extremeshok/clamav-unofficial-sigs


>
> Are you sure you want to do all this with root permissions? :)

I will change the user next time, I promise! :)


Thomas B
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Thomas Barth via clamav-users <clamav-users@lists.clamav.net> writes:

> After restarting the clamav-daemon it has found another MBL_xxxxxxxxx
> with the same decoded signature. I dont know how many virus names for
> that domain exist. Because it can take up to a minute to check the
> "virusmail" (cpu too slow?) So I better ask again if I really do have to
> whitelist all the virus names one by one.
>

MalwarePatrol may be sometime quite loosy with the rules, often some \
are missing in the rules, some rules may be duplicated, etc.

I have resolved to have a script that does some cleaning in whatever
ruleset I download before I activate it.

Best regards,

Olivier

>
> Thomas B
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>

--
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat