Re: [clamav-users] Mail contains virus ? MBL_162040584.UNOFFICIAL and some errors.

Fri, 22 Jul 2022 03:12:45 -0700

On 22 July 2022 10:15:27 Thomas Barth via clamav-users <clamav-users@lists.clamav.net> wrote: 


Hello,

I use ClamAV unofficial signatures and it seems that I get a false
positiv, I m not sure. A known person with a gmail-address and MS
Outlook 16.0 X-Mailer tries to send me a mail with a link to google docs
(Google Sheets) and Amavis refuses to accept this mail. I scanned this
file in the quarantaine again and I get the detection again and some
other errors.

[more yyerror() ]
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11389
duplicate identifier "zeroaccess_js4"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11414
duplicate identifier "zerox88_js2"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11444
duplicate identifier "zerox88_js3"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11472
duplicate identifier "zeus_js"
LibClamAV Warning: load_oneyara: yara rule contains too many subsigs
(1019, max: 64), skipping YARA.Backdoor_PHP_WPVCD_TempExecution
LibClamAV Warning: cli_loadyara: failed to parse or load 70 yara rules
from file /var/lib/clamav/rfxn.yara, successfully loaded 713 rules.
/root/virusmail.txt: MBL_162693783.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 12844114
Engine version: 0.103.6
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.01 MB (ratio 0.00:1)
Time: 61.839 sec (1 m 1 s)
Start Date: 2022:07:22 10:59:19
End Date:   2022:07:22 11:00:21

I opened the file in the console. It s a multipart message, it contains
the text and the typical ms html part of the message. I can't see where
the danger lurks.

Any suggestions what I can do?

Thomas B


Hi Thomas,
The yara rule errors are due to the ClamAV's built in yara engine not fully understanding the yara files. 

The MBL_162693783 sig is the once to check.

If you used sigtool to decode the sig you'll see what it's looking for.

Mbl used to block Google docs links... so maybe that's why.
If you need to you can put the signature name in a ignore. ign2 file and reload clamd but only do this once you have see the sig decode. 

Cheers,

Steve
Twitter: @sanesecuritySanesecurity.com

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Reply via email to