[clamav-users] MBL_17713260 false positive!

Discussion:

Alex

2018-10-24 00:00:00 UTC

Another malwarepatrol fp for docs.google.com

# sigtool --find-sigs MBL_17713260 |sigtool --decode-sigs
VIRUS NAME: MBL_17713260
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://docs.google.com

I don't even know what to do anymore. Is it worth it to keep malwarepatrol?

Also, my apologies if this was already reported recently - gmail
disabled my list subscription because somehow there were too many
bounces... How does that even happen!?
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Alex

2018-10-24 01:52:49 UTC

Permalink

Hi,

Thought I'd follow up with the response from Malwarepatrol:

"The classification of a sample hosted on that domain, according to
MBL# 17713260 (MD5: 88a1265b2f954a1fb06b6a67f198645e9617007e), is
backed by 12 anti-virus products. Therefore, this is not a false
positive.

There is no reason to believe that the Google infrastructure doesn't
host malware. In case you still don't want or can't block such domain,
we advise you to whitelist it before applying our block lists."

Post by Alex
Another malwarepatrol fp for docs.google.com
# sigtool --find-sigs MBL_17713260 |sigtool --decode-sigs
VIRUS NAME: MBL_17713260
TARGET TYPE: ANY FILE
OFFSET: *
https://docs.google.com
I don't even know what to do anymore. Is it worth it to keep malwarepatrol?
Also, my apologies if this was already reported recently - gmail
disabled my list subscription because somehow there were too many
bounces... How does that even happen!?

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Ralf Hildebrandt

2018-10-24 08:00:48 UTC

Permalink

Post by Alex
Hi,
"The classification of a sample hosted on that domain, according to
MBL# 17713260 (MD5: 88a1265b2f954a1fb06b6a67f198645e9617007e), is
backed by 12 anti-virus products. Therefore, this is not a false
positive.
There is no reason to believe that the Google infrastructure doesn't
host malware. In case you still don't want or can't block such domain,
we advise you to whitelist it before applying our block lists."

Fucking idiots.

--
Ralf Hildebrandt Charite UniversitÃ€tsmedizin Berlin
***@charite.de Campus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
GeschÃ€ftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Ralf Hildebrandt

2018-10-24 08:00:20 UTC

Permalink

I'm wondering this as well. That stuff pops up every other day.

Al Varnell

2018-10-24 08:05:58 UTC

Permalink

I cannot argue that malware does not show up in Google Docs which is wide open to anybody that wants to post there, as I know it has occurred. Not sure how big a problem it has become for Google to police. I think it would be better if malwarepatrol were to list the specific site where the malware was reportedly found, rather than condemning the entire sub-domain.

-Al-

Post by Ralf Hildebrandt

Another malwarepatrol fp for docs.google.com <http://docs.google.com/>
# sigtool --find-sigs MBL_17713260 |sigtool --decode-sigs
VIRUS NAME: MBL_17713260
TARGET TYPE: ANY FILE
OFFSET: *
https://docs.google.com <https://docs.google.com/>
I don't even know what to do anymore. Is it worth it to keep malwarepatrol?

I'm wondering this as well. That stuff pops up every other day.

Ralf Hildebrandt

2018-10-24 08:10:47 UTC

Permalink

Post by Al Varnell
I cannot argue that malware does not show up in Google Docs which is
wide open to anybody that wants to post there,

Amen to that!

Post by Al Varnell
as I know it has occurred. Not sure how big a problem it has become for
Google to police. I think it would be better if malwarepatrol were to
list the specific site where the malware was reportedly found, rather
than condemning the entire sub-domain.

Steve Basford

2018-10-24 09:13:04 UTC

Permalink

Post by Al Varnell
I cannot argue that malware does not show up in Google Docs which is wide
open to anybody that wants to post there, as I know it has occurred. Not
sure how big a problem it has become for Google to police. I think it
would be better if malwarepatrol were to list the specific site where the
malware was reportedly found, rather than condemning the entire
sub-domain.

Agreed....

Plus as the signature name changes for the blocked domain... you'd have to
do something like:

grep "68747470733a2f2f646f63732e676f6f676c652e636f6d"| cut -d "=" -f1 >
mbl.ign2

... each time you download... and re-generate the whitelist name.
--
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Alex

2018-10-24 12:52:28 UTC

Permalink

Hi,

Post by Ralf Hildebrandt

I'm wondering this as well. That stuff pops up every other day.

As a follow-up, in response to a question as to why they just block
the specific URL and payload that triggered their detection, they
insisted it wasn't a false-positive because the malware was detected
by 12 other virus vendors. "Unfortunately, the file that serves the
malware in question is in the root directory of that domain. That is
the reason why the entire docs[.]google[.]com website is blocked."

I love how they even had to obscure docs.google.com so their own
software doesn't block receipt of their own email.

It's not just bad experiences with them like this, it's also constant
download issues, zero-length files, malformed files, and failure to
reach their system at least every third day.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Alex

2018-10-24 12:53:29 UTC

Permalink

Post by Alex
As a follow-up, in response to a question as to why they just block

I meant "don't just block", of course ...
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Paul Stead

2018-10-26 11:30:07 UTC

Permalink

Woo, more -

MBL_17674787
MBL_17784910

Tried to post to the Sanesecurity list but didn't seem to come through (

Paul

--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk

Winner of 'Services Company of the Year' at the UK IT Industry Awards

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service.

Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Steve Basford

2018-10-26 13:59:40 UTC

Permalink

Post by Paul Stead
Woo, more -
MBL_17674787
MBL_17784910

Personally I'd stop using them... as Malware Patrol don't seem to want to
improve the situation.

So although I do whitelist.. like I have with the above ones... it'll be an
ongoing task/pain.

Post by Paul Stead
Tried to post to the Sanesecurity list but didn't seem to come through (

Hmmm... Odd I'll test later.

Cheers,

Steve

Post by Paul Stead
Paul
--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk
Winner of 'Services Company of the Year' at the UK IT Industry Awards
This message is private and confidential. If you have received this message
in error, please notify us and remove it from your system.
Zen Internet Limited may monitor email traffic data to manage billing, to
handle customer enquiries and for the prevention and detection of fraud. We
may also monitor the content of emails sent to and/or from Zen Internet
Limited for the purposes of security, staff training and to monitor quality
of service.
Zen Internet Limited is registered in England and Wales, Sandbrook Park,
Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml