Discussion:
[clamav-users] Malwarepatrol false positive
Alex
2018-08-21 03:34:09 UTC
Permalink
Hi, fyi

# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://drive.google.com
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2018-08-21 04:13:03 UTC
Permalink
Submit to fp (at) malwarepatrol.net.

-Al-
Post by Alex
Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
https://drive.google.com
Dave McMurtrie
2018-08-21 11:27:39 UTC
Permalink
They did this in April, 2017 also. When I reported it as a false positive
at that time, they responded with:

"Thank you for contacting us. There is a file hosted there with a vague
AV classification. After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."

I'm beginning to get the feeling they don't have any type of review
process in place.
Post by Al Varnell
Submit to fp (at) malwarepatrol.net.
-Al-
Post by Alex
Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
https://drive.google.com
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2018-08-21 11:31:28 UTC
Permalink
OK, I don't think there is anything that ClamAV can do about it since it's an UNOFFICIAL.

Maybe Steve Basford from SaneSecurity can put some pressure on them. He usually reads what's posted here.

-Al-
Post by Dave McMurtrie
"Thank you for contacting us. There is a file hosted there with a vague
AV classification. After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."
I'm beginning to get the feeling they don't have any type of review process in place.
Submit to fp (at) malwarepatrol.net <http://malwarepatrol.net/>.
-Al-
Post by Alex
Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
https://drive.google.com <https://drive.google.com/>
Arnaud Jacques
2018-08-21 12:48:01 UTC
Permalink
Hello,

Do it yourself:
https://www.securiteinfo.com/services/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml

Btw, users/customers of
https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
have no problem because the signature has been included in
securiteinfo.ign2.
Post by Al Varnell
OK, I don't think there is anything that ClamAV can do about it since it's an UNOFFICIAL.
Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.
-Al-
They did this in April, 2017 also.  When I reported it as a false
"Thank you for contacting us.  There is a file hosted there with a vague
AV classification.  After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."
I'm beginning to get the feeling they don't have any type of review process in place.
Submit to fp (at) malwarepatrol.net <http://malwarepatrol.net>.
-Al-
Post by Alex
Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
https://drive.google.com
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark G Thomas
2018-08-27 18:16:08 UTC
Permalink
Hi,

This seems to be an ongoing trend.

I can't believe someone thought this would be a good idea!

# sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
VIRUS NAME: MBL_13087222
DECODED SIGNATURE:
https://docs.google.com
Post by Al Varnell
OK, I don't think there is anything that ClamAV can do about it since
it's an UNOFFICIAL.
Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.
-Al-
They did this in April, 2017 also. When I reported it as a false
"Thank you for contacting us. There is a file hosted there with a vague
AV classification. After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."
I'm beginning to get the feeling they don't have any type of review process in place.
Submit to fp (at) [1]malwarepatrol.net.
-Al-
Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
[2]https://drive.google.com
--
Mark G. Thomas (***@Misty.com), KC3DRE
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steve Basford
2018-08-27 18:41:27 UTC
Permalink
Just whitelisted for those using download scripts.. using the ign2 file on
the Sanesecurity mirrors.

Cheers,

Steve
Post by Mark G Thomas
Hi,
This seems to be an ongoing trend.
I can't believe someone thought this would be a good idea!
# sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
VIRUS NAME: MBL_13087222
https://docs.google.com
Post by Al Varnell
OK, I don't think there is anything that ClamAV can do about it since it's an UNOFFICIAL.
Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.
-Al-
They did this in April, 2017 also. When I reported it as a false
"Thank you for contacting us. There is a file hosted there with a vague
AV classification. After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."
I'm beginning to get the feeling they don't have any type of review process in place.
Submit to fp (at) [1]malwarepatrol.net.
-Al-
Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
[2]https://drive.google.com
--
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark G Thomas
2018-08-27 20:44:45 UTC
Permalink
Hi,

But, there are more. This is nuts.

# sigtool --find-sigs MBL_13112740 | sigtool --decode-sigs
VIRUS NAME: MBL_13112740
DECODED SIGNATURE:
https://linkprotect.cudasvc.com/url

Mark
Post by Steve Basford
Just whitelisted for those using download scripts.. using the ign2
file on the Sanesecurity mirrors.
Cheers,
Steve
Post by Mark G Thomas
Hi,
This seems to be an ongoing trend.
I can't believe someone thought this would be a good idea!
# sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
VIRUS NAME: MBL_13087222
https://docs.google.com
Post by Al Varnell
OK, I don't think there is anything that ClamAV can do about it since
it's an UNOFFICIAL.
Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.
-Al-
They did this in April, 2017 also. When I reported it as a false
"Thank you for contacting us. There is a file hosted there with a vague
AV classification. After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."
I'm beginning to get the feeling they don't have any type of review process in place.
Submit to fp (at) [1]malwarepatrol.net.
-Al-
Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
[2]https://drive.google.com
--
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Mark G. Thomas (***@Misty.com), KC3DRE
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
lukn
2018-08-28 05:45:09 UTC
Permalink
Hi

cudasvc was recently listed on Spamhaus' DBL. Looks like Barracuda has
some kind of issues with their service.
The other question is, why do people use such link cloakers?
Post by Mark G Thomas
Hi,
But, there are more. This is nuts.
# sigtool --find-sigs MBL_13112740 | sigtool --decode-sigs
VIRUS NAME: MBL_13112740
https://linkprotect.cudasvc.com/url
Mark
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark G Thomas
2018-08-29 17:01:15 UTC
Permalink
Hi,

Apparently the cudasvc.com URLs are a function of Barracuda for their
customers, replacing dangerous public URLs in messages with private
links to barracuda-hosted warnings or screening pages, to prevent
customers from receiving and following original potentially malicious URLs.

Microsoft has a simlar service: safelinks.protection.outlook.com

It seems to me there are all sorts of negative consequences to altering
message content in this way, however that's poor excuse for adding such
URLs to a publically distributed virus filter rule.

Mark
Post by lukn
Hi
cudasvc was recently listed on Spamhaus' DBL. Looks like Barracuda has
some kind of issues with their service.
The other question is, why do people use such link cloakers?
Post by Mark G Thomas
Hi,
But, there are more. This is nuts.
# sigtool --find-sigs MBL_13112740 | sigtool --decode-sigs
VIRUS NAME: MBL_13112740
https://linkprotect.cudasvc.com/url
Mark
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Mark G. Thomas (***@Misty.com), KC3DRE
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2018-08-27 18:21:25 UTC
Permalink
Post by Mark G Thomas
This seems to be an ongoing trend.
I can't believe someone thought this would be a good idea!
# sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
VIRUS NAME: MBL_13087222
https://docs.google.com
that happens when you let users which are mostly idiots submit samples
without proper review and in doubt ignore, be it bayes, uribl or signatures
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steve Basford
2018-08-29 17:52:06 UTC
Permalink
Post by Al Varnell
OK, I don't think there is anything that ClamAV can do about it since it's an UNOFFICIAL.
Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.
I've just sent them an email and a contract form entry on the issues we've
been seeing of late... basically asking them to improve their quality
control and not giving other 3rd party signatures or indeed ClamAV a bad
name.

Not sure if it'll help but we'll see.

FPs will happen... but it's about freqency of them... and how quickly they
get fixed that's the key issue.
--
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steve Basford
2018-08-29 20:12:34 UTC
Permalink
Had a reply back regarding the false positives....


Hello,
?
?Thank you for contacting us and for reporting potential problems with our
ClamAV signatures. The two entries mentioned were removed from the block
lists and data feeds a few days ago. Our users and customers should be able
to download new versions of the feeds according to their subscriptions.
?
?Our means of communication for reporting problems or to ask for assistance
is via this email address: ***@malwarepatrol.net. We'd appreciate if
you could direct anybody with inquiries to directly contact us.
?
?Once again, thank you for reporting this issue.
?
?Regards,
?
?Luciana
?Malware Patrol Team


So if anyone else sees FPs the above email should be a starting point.

Cheers,

Steve
Post by Steve Basford
Post by Al Varnell
OK, I don't think there is anything that ClamAV can do about it since it's an UNOFFICIAL.
Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.
I've just sent them an email and a contract form entry on the issues we've
been seeing of late... basically asking them to improve their quality
control and not giving other 3rd party signatures or indeed ClamAV a bad
name.
Not sure if it'll help but we'll see.
FPs will happen... but it's about freqency of them... and how quickly they
get fixed that's the key issue.
--
Cheers,
Steve
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark G Thomas
2018-08-31 16:51:11 UTC
Permalink
Hi,

And YET ANOTHER today. I figured others here might want the heads up.

[***@imx0 conf]# sigtool --find-sigs MBL_13226139 | sigtool --decode-sigs

VIRUS NAME: MBL_13226139
DECODED SIGNATURE:
https://linkprotect.cudasvc.com/url

-Mark
Post by Steve Basford
Had a reply back regarding the false positives....
Hello,
?
?Thank you for contacting us and for reporting potential problems
with our ClamAV signatures. The two entries mentioned were removed
from the block lists and data feeds a few days ago. Our users and
customers should be able to download new versions of the feeds
according to their subscriptions.
?
?Our means of communication for reporting problems or to ask for
We'd appreciate if you could direct anybody with inquiries to
directly contact us.
?
?Once again, thank you for reporting this issue.
?
?Regards,
?
?Luciana
?Malware Patrol Team
--
Mark G. Thomas (***@Misty.com), KC3DRE
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Benny Pedersen
2018-08-31 17:08:44 UTC
Permalink
Post by Mark G Thomas
And YET ANOTHER today. I figured others here might want the heads up.
--decode-sigs
VIRUS NAME: MBL_13226139
https://linkprotect.cudasvc.com/url
why is https even blocked ? :(

please whitelist https signatures
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Kris Deugau
2018-08-31 17:44:37 UTC
Permalink
Post by Benny Pedersen
why is https even blocked ? :(
please whitelist https signatures
There's no reason a hacked HTTPS website couldn't host malware. And
there's no reason a spam domain couldn't get a certificate (from Let's
Encrypt, or somewhere else) if they carefully time their actions.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Benny Pedersen
2018-08-31 17:53:49 UTC
Permalink
Post by Kris Deugau
Post by Benny Pedersen
why is https even blocked ? :(
please whitelist https signatures
There's no reason a hacked HTTPS website couldn't host malware. And
there's no reason a spam domain couldn't get a certificate (from Let's
Encrypt, or somewhere else) if they carefully time their actions.
https links could not be reported to the signer ?

but yes its to simple to make https links without payments at all

time to block signers if thats possible
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steve Basford
2018-08-31 17:25:10 UTC
Permalink
Post by Mark G Thomas
Hi,
And YET ANOTHER today. I figured others here might want the heads up.
Sigh.

I've just added to the main Sansecurity whitelist.

Thanks for the heads up.

Cheers,

Steve
Twitter: @sanesecurity



_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark G Thomas
2018-09-04 17:50:51 UTC
Permalink
Hi,

Good grief! Yet another. So much for Malware patrol!

# sigtool --find-sigs MBL_13497693| sigtool --decode-sigs
VIRUS NAME: MBL_13497693
DECODED SIGNATURE:
https://drive.google.com

Mark
Post by Steve Basford
Post by Mark G Thomas
Hi,
And YET ANOTHER today. I figured others here might want the heads up.
Sigh.
I've just added to the main Sansecurity whitelist.
Thanks for the heads up.
Cheers,
Steve
--
Mark G. Thomas (***@Misty.com), KC3DRE
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steve Basford
2018-09-04 18:21:00 UTC
Permalink
Post by Mark G Thomas
Hi,
Good grief! Yet another. So much for Malware patrol!
Sigh.
Post by Mark G Thomas
# sigtool --find-sigs MBL_13497693| sigtool --decode-sigs
Pushing out a whitelist entry to the mirrors as I type.

Cheers,

Steve
Twitter: @sanesecurity


_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Paul Stead
2018-09-18 15:32:56 UTC
Permalink
Yet another Malwarepatrol FP:

MBL_14437114 - https://drive.google.com

--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk

Winner of 'Services Company of the Year' at the UK IT Industry Awards

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service.

Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Ralf Hildebrandt
2018-09-18 15:35:25 UTC
Permalink
Post by Paul Stead
MBL_14437114 - https://drive.google.com
That's a recurring FP. Happens every week.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
***@charite.de Campus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

htt
Steve Basford
2018-09-18 16:52:41 UTC
Permalink
Post by Paul Stead
MBL_14437114
White listing as we speak... Sigh

Steve Basford
2018-08-21 13:01:51 UTC
Permalink
Post by Dave McMurtrie
I'm beginning to get the feeling they don't have any type of review
process in place.
I whitelisted the sig on the Sanesecurity mirrors this morning UK time:

21/08/2018 @ 11:37

It's usually quicker to do that, if not ideal.
--
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Alex
2018-08-21 13:48:46 UTC
Permalink
This post might be inappropriate. Click to display it.
Loading...