[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links
G.W. Haywood
clamav at jubileegroup.co.uk
Thu Apr 29 12:58:33 UTC 2021
Hi there,
On Thu, 29 Apr 2021, Olivier via clamav-users wrote:
> Robert Kudyba <rkudyba at fordham.edu> writes:
>
>> How would you make this work for docs.google.com as well?
>>
>> the following regex corresponds to https://drive.google.com
>> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
>
> If I remember correctly (I am at home and I have nothing to check), the
> URL is encoded in base64 ...
This is plain hexadecimal representation of the individual characters,
not Base64 encoding.
> ... so it should be:
> 68747470733a2f2f646f637s2e676f6f676c652e636f6d
The character 's' is not in the range [0-9a-f] which are normally used
to represent hexadecimal numbers.
ASCII hex
h 68
t 74
t 74
p 70
s 73
: 3a
# the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
# the following regex corresponds to https://docs.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
You could do better with a regex, see the excellent Perl documentation.
See also
https://www.clamav.net/documents/body-based-signature-content-format
for writing signatures and for example
man ascii
for more information about hexadecimal representation of characters.
Be careful with this stuff, it's easy to shoot yourself in the foot.
Look carefully at what's happening. The script does try to log things
and you can easily extend that - you might need to look at for example
man syslog
HTH
--
73,
Ged.
More information about the clamav-users
mailing list