Hi, I'm using clamav-0.103.8 on fedora37 with the current daily update and have received a false positive involving the RPMSG secure download that's apparently part of office365.
For some reason the fp is in the body of the message, not the message_v2.rpmsg attachment. Here is the entire message: https://drive.google.com/file/d/1ZImepnB_U5_pI0CXRhWm8nlKVCPCFnw3/view?usp=sharing Here's the sigtool output. Is this in fact a false positive? $ sigtool --find-sigs Email.Phishing.RPMSG_Downloader-10004958-0|sigtool --decode-sigs VIRUS NAME: Email.Phishing.RPMSG_Downloader-10004958-0 TDB: Engine:90-255,Target:4 LOGICAL EXPRESSION: 0&(1|2)&((3|4|5|6|7|8|9)>4,4)&10&11 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: Content-Disposition: * SUBSIG ID 1 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: has sent you a protected message. * SUBSIG ID 2 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: .office365.com/Encryption/lock.png * SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: <a href= =3D"https:// * SUBSIG ID 4 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: outlook * SUBSIG ID 5 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: .office365.com * SUBSIG ID 6 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: /Encryption/ * SUBSIG ID 7 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: retrieve.ashx? * SUBSIG ID 8 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: recipientemailaddress * SUBSIG ID 9 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: ;senderemailaddress= * SUBSIG ID 10 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: application/x-microsoft-rpmsg-message; * SUBSIG ID 11 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: name="message_v{WILDCARD_IGNORE}.rpmsg"
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
