[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links
Steve Basford
steveb_clamav at sanesecurity.com
Wed Apr 28 22:13:01 UTC 2021
On 28 April 2021 15:25:32 Robert Kudyba <rkudyba at fordham.edu> wrote:
> Since the signature name has .UNOFFICIAL and starts with MBL I believe
> that's Malware Block List. I've submitted a sample to fp (at)
> malwarepatrol.net. Is more than one sample needed? I'm posting here to let
> others know and as they don't appear to acknowledge nor reply.
Hi...
This issue has cropped up lots of times unfortunately (search the list archive)
This is on their blog:
https://www.malwarepatrol.net/block-lists-protect-against-ransomware-infections/
They really should have a main block list with Google drive links in...
and a separate one for the whole Google drive domain (for people that don't
mind the high FP's)
This hasn't been fixed as far as I can see since 2018-ish...
Obviously there are script tweaks to remove Google drive sigs before moving
to the ClamAV database folder...
... Or just stop using them and save yourself the headache.
Their sig name changes each time too, otherwise I could add a sig to the
unofficial mirrors to stop it.
When you report the issue to them make sure you report the blocked domain
as drive dot Google dot com etc. as the normal text domain might get
blocked using their own signatures.
Sorry I can't help much more.
Cheers,
Steve
Twitter: @sanesecurity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210428/d6234b96/attachment.htm>
More information about the clamav-users
mailing list