Hi,
I'm using clamav-0.103.8 on fedora37 with the current daily update and have
received a false positive involving the RPMSG secure download that's
apparently part of office365.
For some reason the fp is in the body of the message, not the
message_v2.rpmsg attachment. Here is the entire message:
https://drive.google.com/file/d/1ZImepnB_U5_pI0CXRhWm8nlKVCPCFnw3/view?usp=sharing
Here's the sigtool output. Is this in fact a false positive?
$ sigtool --find-sigs Email.Phishing.RPMSG_Downloader-10004958-0|sigtool
--decode-sigs
VIRUS NAME: Email.Phishing.RPMSG_Downloader-10004958-0
TDB: Engine:90-255,Target:4
LOGICAL EXPRESSION: 0&(1|2)&((3|4|5|6|7|8|9)>4,4)&10&11
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Content-Disposition:
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
has sent you a protected message.
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.office365.com/Encryption/lock.png
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
<a href=
=3D"https://
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
outlook
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.office365.com
* SUBSIG ID 6
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Encryption/
* SUBSIG ID 7
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
retrieve.ashx?
* SUBSIG ID 8
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
recipientemailaddress
* SUBSIG ID 9
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
;senderemailaddress=
* SUBSIG ID 10
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
application/x-microsoft-rpmsg-message;
* SUBSIG ID 11
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
name="message_v{WILDCARD_IGNORE}.rpmsg"
I'm using clamav-0.103.8 on fedora37 with the current daily update and have
received a false positive involving the RPMSG secure download that's
apparently part of office365.
For some reason the fp is in the body of the message, not the
message_v2.rpmsg attachment. Here is the entire message:
https://drive.google.com/file/d/1ZImepnB_U5_pI0CXRhWm8nlKVCPCFnw3/view?usp=sharing
Here's the sigtool output. Is this in fact a false positive?
$ sigtool --find-sigs Email.Phishing.RPMSG_Downloader-10004958-0|sigtool
--decode-sigs
VIRUS NAME: Email.Phishing.RPMSG_Downloader-10004958-0
TDB: Engine:90-255,Target:4
LOGICAL EXPRESSION: 0&(1|2)&((3|4|5|6|7|8|9)>4,4)&10&11
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Content-Disposition:
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
has sent you a protected message.
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.office365.com/Encryption/lock.png
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
<a href=
=3D"https://
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
outlook
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.office365.com
* SUBSIG ID 6
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Encryption/
* SUBSIG ID 7
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
retrieve.ashx?
* SUBSIG ID 8
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
recipientemailaddress
* SUBSIG ID 9
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
;senderemailaddress=
* SUBSIG ID 10
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
application/x-microsoft-rpmsg-message;
* SUBSIG ID 11
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
name="message_v{WILDCARD_IGNORE}.rpmsg"