[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links
G.W. Haywood
clamav at jubileegroup.co.uk
Wed Apr 28 15:04:47 UTC 2021
Hi there,
On Wed, 28 Apr 2021, Robert Kudyba wrote:
> Since the signature name has .UNOFFICIAL and starts with MBL I believe
> that's Malware Block List. I've submitted a sample to fp (at)
> malwarepatrol.net. Is more than one sample needed? I'm posting here to let
> others know and as they don't appear to acknowledge nor reply.
I can't help you with anything related to Malwarepatrol.
> Why don't these come up?
>
> sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs
> sigtool --find-sigs MBL_85256034|sigtool --decode-sigs
> sigtool --find-sigs MBL_85256034.UNOFFICIAL|sigtool --decode-sigs
As per the documentation I would write all those as
sigtool --find-sigs=MBL...
but I find that they seem to work without the '=' and that's a little
surprising to me. I don't know why you're not seeing the output that
you expect, maybe sigtool isn't looking where you think it's looking,
or what you think is there isn't there?
Also, you need to be careful with special characters like '*', which
generally need to be hidden from the shell either by 'quoting' or by
'escaping' them - otherwise the shell may expand them before handing
the (now probably useless) command to your utility. So I'd write
sigtool --find-sigs='MBL_85256034*' | sigtool --decode-sigs
> I also see multiple signature whitelists with some duplication:
> /var/lib/clamav/securiteinfo.ign2
> /var/lib/clamav/sigwhitelist.ign2
> /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
> /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
>
> That should be ok?
The duplication? Shouldn't be a problem. Small efficiency loss.
--
73,
Ged.
More information about the clamav-users
mailing list