[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Olivier]

Hi,

Robert Kudyba <rkudyba at fordham.edu> writes:

> [1:multipart/alternative Hide]
>
>
> [1/1:text/plain Show]
>
>
> [1/2:text/html Hide Save:noname (3kB)]
>
> Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've
> submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let
> others know and as they don't appear to acknowledge nor reply.

I contacted thenm once and te reply was in the line that thy considered
that the risk was real enough to keep the rule(s).

As I am updating ClamAV unofficial with the clamav-unofficial-sigs.sh
script, I wrote a hook that removes any drive.google.doc from the
signature (there are/were at least 3 entries).

As I wrote the hook, I can modify it in the future to fit my needs, so it
is not wasted time.

I can share the script.

Best regards,

Olivier

>
> Why don't these come up?
>
> sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs
> sigtool --find-sigs MBL_85256034|sigtool --decode-sigs
> sigtool --find-sigs MBL_85256034.UNOFFICIAL|sigtool --decode-sigs
>
> I also see multiple signature whitelists with some duplication:
> /var/lib/clamav/securiteinfo.ign2
> /var/lib/clamav/sigwhitelist.ign2
> /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
> /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
>
> That should be ok?
>
> I've seen this reported here before, e.g.,
> https://clamav-users.clamav.narkive.com/mqj2qe6y/malwarepatrol-false-positive and
> https://clamav-users.clamav.narkive.com/5QYf5SQW/mbl-17713260-false-positive
>
> [2:text/plain Hide]
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

--