Hi,
I had exactly the same problem with emails on my servers. I found two
subscriptions those has been blocking emails from major ISPs in my country.
Finally I decided to bypass these subscriptions
Example1
fgrep -h Sanesecurity.Jurlbl.2650 *.ndb | sigtool --decode-sigs
VIRUS NAME: Sanesecurity.Jurlbl.2650
FUNCTIONALITY LEVEL: >=48
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
{BOUNDARY_LEFT}ip.netia.com.pl{CHAR_ALTERNATIVE:'|"| |/|=|_|>|
|?|<}
Example2
fgrep -h Sanesecurity.Jurlbl.2649 *.ndb | sigtool --decode-sigs
VIRUS NAME: Sanesecurity.Jurlbl.2649
FUNCTIONALITY LEVEL: >=48
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
{BOUNDARY_LEFT}internetdsl.tpnet.pl{CHAR_ALTERNATIVE:'|"| |/|=|_|>|
|?|<}
Workaround
/usr/local/sbin/clamav-unofficial-sigs.sh -b
Input a third-party signature name that you wish to bypass due to
false-positives
and press enter (do not include '.UNOFFICIAL' in the signature name nor add
quote
marks to any input string):
Sanesecurity.Jurlbl.2650
Signature 'Sanesecurity.Jurlbl.2650' has been added to the local.ign signature
bypass
file and databases have been reloaded. The script will track any changes to the
offending third-party signature and will automatically remove the signature
bypass
entry if either the signature is modified or removed from the third-party
database.
/usr/local/sbin/clamav-unofficial-sigs.sh -b
Input a third-party signature name that you wish to bypass due to
false-positives
and press enter (do not include '.UNOFFICIAL' in the signature name nor add
quote
marks to any input string):
Sanesecurity.Jurlbl.2649
Signature 'Sanesecurity.Jurlbl.2649' has been added to the local.ign signature
bypass
file and databases have been reloaded. The script will track any changes to the
offending third-party signature and will automatically remove the signature
bypass
entry if either the signature is modified or removed from the third-party
database.
Finally I would like to know why these subscriptions were implemented? Who can
answer this question?
Regards,
Pawel
-----Original Message-----
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Ian Eiloart
Sent: Wednesday, August 21, 2013 5:05 PM
To: andre.cor...@pobox.com
Cc: clamav-users@lists.clamav.net
Subject: [clamav-users] false positives
Hi Andre,
NB: I'm copying this to the ClamAV users list, as a heads-up.
The ClamAV EXT list currently contains a number (eleven) of false positive
entries. They all match the string "://" (without the quotes), which clearly
matches any email containing any URL.
This is a very serious error, that has been blocking most emails on my server
today. The entries are not in any of the other ClamAV lists.
Here's a snippet from the list at
https://www.malwarepatrol.net/cgi/submit?action=list_clamav_ext
BL_330073:0:*:66696c6573312e66726565736f66742e72752f7265702f3830373936
MBL_330105:0:*:3a2f2f
MBL_330141:0:*:7574696c7a6f6e652e746f7067756964652e636f2e6b722f7570646174652f757a3338
MBL_330149:0:*:646f776e2e656e756d73746174652e636f2e6b722f646f776e6c6f6164
MBL_330239:0:*:6368697070696e6773636f74746167652e637573746f6d65722e6e657473706163652e6e65742e6175
MBL_330447:0:*:66696c652d677572692e636f2e6b722f75706c6f61642f6a6f7966696c65
MBL_330518:0:*:6465616e6c7574746f6e2e636f6d2f6a756e6b
MBL_331371:0:*:7777772e726573637565382e6f72672f696d616765732f6a6f656172726f796f
MBL_331404:0:*:646f776e6c6f61642e77696e6d6178696d697a65722e636f6d2f646f776e6c6f6164732f77696e6d6178696d697a6572
MBL_331462:0:*:7574696c2e62696766696c652e6f722e6b722f636f6e74735f696d61676573322f75706c6f61645f666f72646572
MBL_331475:0:*:3a2f2f
MBL_331531:0:*:7a72656e692e72752f646f776e6c6f61642f736f6674
MBL_331860:0:*:7777772e6f66696e6574706c75732e6573
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
