Mailing List Archive

[clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments
Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several
emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was
a link forwarded as an attachment of a Google Drive folder. I reported this
to the false positive at SaneSecurity address. I also added the signature
to a file called /var/lib/clamav/sigwhitelist.ign2

Is there a way to verify that the signature itself was fixed?
Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments [ In reply to ]
Hi there,

On Wed, 24 Mar 2021, Robert Kudyba wrote:

> Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several
> emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was
> a link forwarded as an attachment of a Google Drive folder. I reported this
> to the false positive at SaneSecurity address. ...

It's a Malware Patrol signature so you should report it to them, not Sansecurity:

https://sanesecurity.com/support/false-positives/
https://www.malwarepatrol.net/

> Is there a way to verify that the signature itself was fixed?

I don't know what update documentation Malware Patrol does now, I
stopped using them in 2013.

To see what the signature contains you can use 'sigtool', alternatively
grep the database file(s) for the string 'MBL_82485625'. I tend to use
the grep '-a' option when I grep things like signature files.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments [ In reply to ]
On 24 March 2021 14:16:33 Robert Kudyba <rkudyba@fordham.edu> wrote:
> Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several
> emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was
> a link forwarded as an attachment of a Google Drive folder.
>
Hi Robert,

It's best to report this to Malware Patrol themselves.

I do have the ability to ignore this signature from the mirrors... but they
change the signature name... so it's a bit like whack a mole.
>

Cheers,

Steve
Twitter: @sanesecurity
Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments [ In reply to ]
Hi,

> Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with
> the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a
> Google Drive folder. I reported this to the false positive at SaneSecurity address. I also added the
> signature to a file called /var/lib/clamav/sigwhitelist.ign2
>
> Is there a way to verify that the signature itself was fixed?

I have been hit by the same problem. I tried to talk to Malware Patrol,
but the answer was "this is it".

As I update the Clamav unofficial signatures with
clamav-unofficial-sigs.sh I did the following:

- in clamav-unofficial-sigs configuration (in the file user.conf) I
added the following to call an external script before reloading ClamAV:

clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl"

- I created a directory where I will do the temp work (that is FreeBSD
directory structure): /var/db/clamav-unofficial-sigs/post-control

- I created the following script that looks for signatures corresponding
to https://drive.google.com and remove them:

#!/usr/local/bin/perl

# malware Patrol has listed the URL https://drive.google.com as the
# signature of a virus. This causes any email that has a link to
# a Google document to be quarantined.

# This hack is there to remove that signature from Malware Patrol
# pattern file.

# It is called by the hoock defined in the variable $clamd_reload_opt
# (in user.conf)

# - copy, modify and reinstall Malware Patrol signature file;

# - send a reload command to clamav-clamd

sub do_magic {
# print "hello\n";
# move the file in the temp directory
link "../malwarepatrol.ndb", "malwarepatrol.ndb";
unlink "../malwarepatrol.ndb";

# clean the file
open IN, "malwarepatrol.ndb";
open OUT, ">malwarepatrol-cln.ndb";
while (<IN>) {
chop;
# the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
print OUT "$_\n";
}
close IN;
close OUT;
unlink "malwarepatrol.ndb";
link "malwarepatrol-cln.ndb", "../malwarepatrol.ndb";
unlink "malwarepatrol-cln.ndb";
chown 110, 110, "../malwarepatrol.ndb";
unlink "../../clamav/malwarepatrol.ndb";
link "../malwarepatrol.ndb", "../../clamav/malwarepatrol.ndb";
chown 110, 110, "../../clamav/malwarepatrol.ndb";

system "logger -p mail.warning calamav-unofficial triggered reading database /var/db/clamav";
system "clamdscan --reload";
}

# Lets move to the temp directory, so it does not have to be done later
chdir "/var/db/clamav-unofficial-sigs/post-control";


&do_magic;
exit;
############################

Notes:

- there may be the need for one more change to
clamav-unofficial-sigs.sh, that I don't remember from the top of my
head. But maybe not and defining clamd_reload_opt is enough

- Malware Patrol has problem with their signatures for SpamAssassin
too, regularly they will be missing a ] at the end of a regex and SA
would not lint. I had to throw another workaround to get around that.

- because of reason (educational, I don't really remember), I get Malware
Patrol for free, so I will not push the issue with them and am very
grateful for the help them provide me protecting my users from the
miscreant.

Best regards,

Olivier

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml