[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links
Robert Kudyba
rkudyba at fordham.edu
Wed Apr 28 14:24:55 UTC 2021
Since the signature name has .UNOFFICIAL and starts with MBL I believe
that's Malware Block List. I've submitted a sample to fp (at)
malwarepatrol.net. Is more than one sample needed? I'm posting here to let
others know and as they don't appear to acknowledge nor reply.
Why don't these come up?
sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs
sigtool --find-sigs MBL_85256034|sigtool --decode-sigs
sigtool --find-sigs MBL_85256034.UNOFFICIAL|sigtool --decode-sigs
I also see multiple signature whitelists with some duplication:
/var/lib/clamav/securiteinfo.ign2
/var/lib/clamav/sigwhitelist.ign2
/var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
/var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
That should be ok?
I've seen this reported here before, e.g.,
https://clamav-users.clamav.narkive.com/mqj2qe6y/malwarepatrol-false-positive
and
https://clamav-users.clamav.narkive.com/5QYf5SQW/mbl-17713260-false-positive
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210428/c230e713/attachment.htm>
More information about the clamav-users
mailing list