[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Robert Kudyba rkudyba at fordham.edu
Thu Apr 29 13:20:48 UTC 2021 

>
> On Thu, 29 Apr 2021, Olivier via clamav-users wrote:
> > Robert Kudyba <rkudyba at fordham.edu> writes:
> >
> >> How would you make this work for docs.google.com as well?
> >>
> >> the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E&s=s750n2M4VDb8ZyWHaPUG_1uRE3SwKLylqFvjoCuh4No&e=
> >> next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
> >
> > If I remember correctly (I am at home and I have nothing to check), the
> > URL is encoded in base64 ...
>
> This is plain hexadecimal representation of the individual characters,
> not Base64 encoding.
>
> > ... so it should be:
> > 68747470733a2f2f646f637s2e676f6f676c652e636f6d
>
> The character 's' is not in the range [0-9a-f] which are normally used
> to represent hexadecimal numbers.
>
> ASCII   hex
>
> h       68
> t       74
> t       74
> p       70
> s       73
> :       3a
>
> # the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E&s=s750n2M4VDb8ZyWHaPUG_1uRE3SwKLylqFvjoCuh4No&e=
> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
>
> # the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E&s=koxwoqL0T012SCZYRi1RC-KrEQTjHA2KJ2z-GDUv9iM&e=
> next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
>
> You could do better with a regex, see the excellent Perl documentation.
>

So what's the syntax to use || (or) with this? Something like this?

next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/ ||
        /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210429/0fad79b3/attachment.htm>

More information about the clamav-users mailing list