[clamav-users] Mail contains virus ? MBL_162040584.UNOFFICIAL and some errors.

Steve Basford steveb_clamav at sanesecurity.com
Fri Jul 22 10:11:47 UTC 2022 

On 22 July 2022 10:15:27 Thomas Barth via clamav-users 
<clamav-users at lists.clamav.net> wrote:

> Hello,
>
> I use ClamAV unofficial signatures and it seems that I get a false
> positiv, I m not sure. A known person with a gmail-address and MS
> Outlook 16.0 X-Mailer tries to send me a mail with a link to google docs
> (Google Sheets) and Amavis refuses to accept this mail. I scanned this
> file in the quarantaine again and I get the detection again and some
> other errors.
>
> [more yyerror() ]
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11389
> duplicate identifier "zeroaccess_js4"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11414
> duplicate identifier "zerox88_js2"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11444
> duplicate identifier "zerox88_js3"
> LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11472
> duplicate identifier "zeus_js"
> LibClamAV Warning: load_oneyara: yara rule contains too many subsigs
> (1019, max: 64), skipping YARA.Backdoor_PHP_WPVCD_TempExecution
> LibClamAV Warning: cli_loadyara: failed to parse or load 70 yara rules
> from file /var/lib/clamav/rfxn.yara, successfully loaded 713 rules.
> /root/virusmail.txt: MBL_162693783.UNOFFICIAL FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 12844114
> Engine version: 0.103.6
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.01 MB (ratio 0.00:1)
> Time: 61.839 sec (1 m 1 s)
> Start Date: 2022:07:22 10:59:19
> End Date:   2022:07:22 11:00:21
>
> I opened the file in the console. It s a multipart message, it contains
> the text and the typical ms html part of the message. I can't see where
> the danger lurks.
>
> Any suggestions what I can do?
>
> Thomas B

Hi Thomas,

The yara rule errors are due to the ClamAV's built in yara engine not fully 
understanding the yara files.

The MBL_162693783 sig is the once to check.

If you used sigtool to decode the sig you'll see what it's looking for.

Mbl used to block Google docs links... so maybe that's why.

If you need to you can put the signature name in a ignore. ign2 file and 
reload clamd but only do this once you have see the sig decode.

Cheers,

Steve
Twitter: @sanesecuritySanesecurity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220722/59580143/attachment.htm>

More information about the clamav-users mailing list