Hi,
> Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with
> the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a
> Google Drive folder. I reported this to the false positive at SaneSecurity address. I also added the
> signature to a file called /var/lib/clamav/sigwhitelist.ign2
>
> Is there a way to verify that the signature itself was fixed?
I have been hit by the same problem. I tried to talk to Malware Patrol,
but the answer was "this is it".
As I update the Clamav unofficial signatures with
clamav-unofficial-sigs.sh I did the following:
- in clamav-unofficial-sigs configuration (in the file user.conf) I
added the following to call an external script before reloading ClamAV:
clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl"
- I created a directory where I will do the temp work (that is FreeBSD
directory structure): /var/db/clamav-unofficial-sigs/post-control
- I created the following script that looks for signatures corresponding
to
https://drive.google.com and remove them:
#!/usr/local/bin/perl
# malware Patrol has listed the URL https://drive.google.com as the
# signature of a virus. This causes any email that has a link to
# a Google document to be quarantined.
# This hack is there to remove that signature from Malware Patrol
# pattern file.
# It is called by the hoock defined in the variable $clamd_reload_opt
# (in user.conf)
# - copy, modify and reinstall Malware Patrol signature file;
# - send a reload command to clamav-clamd
sub do_magic {
# print "hello\n";
# move the file in the temp directory
link "../malwarepatrol.ndb", "malwarepatrol.ndb";
unlink "../malwarepatrol.ndb";
# clean the file
open IN, "malwarepatrol.ndb";
open OUT, ">malwarepatrol-cln.ndb";
while (<IN>) {
chop;
# the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
print OUT "$_\n";
}
close IN;
close OUT;
unlink "malwarepatrol.ndb";
link "malwarepatrol-cln.ndb", "../malwarepatrol.ndb";
unlink "malwarepatrol-cln.ndb";
chown 110, 110, "../malwarepatrol.ndb";
unlink "../../clamav/malwarepatrol.ndb";
link "../malwarepatrol.ndb", "../../clamav/malwarepatrol.ndb";
chown 110, 110, "../../clamav/malwarepatrol.ndb";
system "logger -p mail.warning calamav-unofficial triggered reading database /var/db/clamav";
system "clamdscan --reload";
}
# Lets move to the temp directory, so it does not have to be done later
chdir "/var/db/clamav-unofficial-sigs/post-control";
&do_magic;
exit;
############################
Notes:
- there may be the need for one more change to
clamav-unofficial-sigs.sh, that I don't remember from the top of my
head. But maybe not and defining clamd_reload_opt is enough
- Malware Patrol has problem with their signatures for SpamAssassin
too, regularly they will be missing a ] at the end of a regex and SA
would not lint. I had to throw another workaround to get around that.
- because of reason (educational, I don't really remember), I get Malware
Patrol for free, so I will not push the issue with them and am very
grateful for the help them provide me protecting my users from the
miscreant.
Best regards,
Olivier
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml