[clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments
Olivier
Olivier.Nicole at cs.ait.ac.th
Thu Mar 25 01:56:46 UTC 2021
Hi,
> Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with
> the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a
> Google Drive folder. I reported this to the false positive at SaneSecurity address. I also added the
> signature to a file called /var/lib/clamav/sigwhitelist.ign2
>
> Is there a way to verify that the signature itself was fixed?
I have been hit by the same problem. I tried to talk to Malware Patrol,
but the answer was "this is it".
As I update the Clamav unofficial signatures with
clamav-unofficial-sigs.sh I did the following:
- in clamav-unofficial-sigs configuration (in the file user.conf) I
added the following to call an external script before reloading ClamAV:
clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl"
- I created a directory where I will do the temp work (that is FreeBSD
directory structure): /var/db/clamav-unofficial-sigs/post-control
- I created the following script that looks for signatures corresponding
to https://drive.google.com and remove them:
#!/usr/local/bin/perl
# malware Patrol has listed the URL https://drive.google.com as the
# signature of a virus. This causes any email that has a link to
# a Google document to be quarantined.
# This hack is there to remove that signature from Malware Patrol
# pattern file.
# It is called by the hoock defined in the variable $clamd_reload_opt
# (in user.conf)
# - copy, modify and reinstall Malware Patrol signature file;
# - send a reload command to clamav-clamd
sub do_magic {
# print "hello\n";
# move the file in the temp directory
link "../malwarepatrol.ndb", "malwarepatrol.ndb";
unlink "../malwarepatrol.ndb";
# clean the file
open IN, "malwarepatrol.ndb";
open OUT, ">malwarepatrol-cln.ndb";
while (<IN>) {
chop;
# the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
print OUT "$_\n";
}
close IN;
close OUT;
unlink "malwarepatrol.ndb";
link "malwarepatrol-cln.ndb", "../malwarepatrol.ndb";
unlink "malwarepatrol-cln.ndb";
chown 110, 110, "../malwarepatrol.ndb";
unlink "../../clamav/malwarepatrol.ndb";
link "../malwarepatrol.ndb", "../../clamav/malwarepatrol.ndb";
chown 110, 110, "../../clamav/malwarepatrol.ndb";
system "logger -p mail.warning calamav-unofficial triggered reading database /var/db/clamav";
system "clamdscan --reload";
}
# Lets move to the temp directory, so it does not have to be done later
chdir "/var/db/clamav-unofficial-sigs/post-control";
&do_magic;
exit;
############################
Notes:
- there may be the need for one more change to
clamav-unofficial-sigs.sh, that I don't remember from the top of my
head. But maybe not and defining clamd_reload_opt is enough
- Malware Patrol has problem with their signatures for SpamAssassin
too, regularly they will be missing a ] at the end of a regex and SA
would not lint. I had to throw another workaround to get around that.
- because of reason (educational, I don't really remember), I get Malware
Patrol for free, so I will not push the issue with them and am very
grateful for the help them provide me protecting my users from the
miscreant.
Best regards,
Olivier
More information about the clamav-users
mailing list