[Clamav-users] false positive of Email.FreeGame on MySQL DB
Hi, I was getting tons of these false positives (just reportedsubmitted a
sample).
you can delete the line:
Email.FreeGame:4:*:75626a6563743a{-30}(67|47)616d65*687474703a2f2f(31|32|33|34|35|36|37|38|39)
from /var/lib/clamav/daily.inc/daily.ndb
and it will go away.
It is triggered by any file (or email, or mbox) contaning
pagame after Subject: (or /^Subject: / followed by /pagame.*/i)
then anything (or nothing), folowed by a line
http//(any number) (or http://[0-9])
(not placing the plain triggering text here, or I suppose the mail will be
blocked
on every clamav user mailbox)
You can test this by creating such a text file and scanning it with Clamav.
Pagamento (payment) is a VERY common subject in Portuguese, and having a
numeric
link anywhere after that in your mailbox or in the same email causes the false
positive. That signature is WAY too prone of false positives!
BR,
Joao S Veiga
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On 10/3/07 7:26 AM, Joao S Veiga [EMAIL PROTECTED] wrote: Pagamento (payment) is a VERY common subject in Portuguese, and having a numeric link anywhere after that in your mailbox or in the same email causes the false positive. That signature is WAY too prone of false positives! Sounds like a signature tuneup is in order. On the other hand, I would think long and hard about the combination of payments and entities which are reduced to using numeric IPs in URLs. I suspect my business goes elsewhere. --John ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Joao S Veiga wrote:
Hi, I was getting tons of these false positives (just reportedsubmitted a
sample).
you can delete the line:
Email.FreeGame:4:*:75626a6563743a{-30}(67|47)616d65*687474703a2f2f(31|32|33|34|35|36|37|38|39)
from /var/lib/clamav/daily.inc/daily.ndb
and it will go away.
It is triggered by any file (or email, or mbox) contaning
pagame after Subject: (or /^Subject: / followed by /pagame.*/i)
then anything (or nothing), folowed by a line
http//(any number) (or http://[0-9])
This was brought up here very recently, like yesterday and the day before (see
Getting line numbers, and the pattern has been removed. Email.FreeGame-1 and
Email.FreeGame-2 still exist.
dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Hi John, think long and hard about the combination of payments and entities which are reduced to using numeric IPs in URLs. I suspect my business goes elsewhere. Agreed :-), but the problem is (and what has caused most of my problems) that if you have an email with the Subject: Pagamento in your mailbox file, then receive another one with the numeric href, clamav will say your mailbox is infected - it doesn't matter that the two parts of the signature are in different emails. BR, Joao S Veiga ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Joao S Veiga wrote: Hi John, think long and hard about the combination of payments and entities which are reduced to using numeric IPs in URLs. I suspect my business goes elsewhere. Agreed :-), but the problem is (and what has caused most of my problems) that if you have an email with the Subject: Pagamento in your mailbox file, then receive another one with the numeric href, clamav will say your mailbox is infected - it doesn't matter that the two parts of the signature are in different emails. This problem is also being discussed in the Getting line numbers thread. The Email.FreeGame pattern demonstrates the very bad idea of using unanchored wildcard expressions in regex searches. If the software is not working on an extracted copy of each message found in the mbox then all such unanchored searches will crawl to the end of the mbox file with each invocation and in very many cases that is a lot of file to be crawling. If clamav is not treating mbox files as tables of rfc-822 messages then it is a pretty poor choice of tools for scanning them. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Bill Landry wrote: Dennis Peterson wrote: Joao S Veiga wrote: Hi John, think long and hard about the combination of payments and entities which are reduced to using numeric IPs in URLs. I suspect my business goes elsewhere. Agreed :-), but the problem is (and what has caused most of my problems) that if you have an email with the Subject: Pagamento in your mailbox file, then receive another one with the numeric href, clamav will say your mailbox is infected - it doesn't matter that the two parts of the signature are in different emails. This problem is also being discussed in the Getting line numbers thread. The Email.FreeGame pattern demonstrates the very bad idea of using unanchored wildcard expressions in regex searches. If the software is not working on an extracted copy of each message found in the mbox then all such unanchored searches will crawl to the end of the mbox file with each invocation and in very many cases that is a lot of file to be crawling. If clamav is not treating mbox files as tables of rfc-822 messages then it is a pretty poor choice of tools for scanning them. I've been following this discussion for the past few days, and I got to ask why scan an mbox file in the first place? I realize that if one does choose to scan an mbox file, then the scanner should do the right thing and consider each message within the mbox as a separate file. However, if one is scanning messages at transport time, why would they need to scan the mbox file? If one is not scanning at transport time, then since the infected message has already been delivered, it could very well be that it has also executed it's payload and scanning the mbox file after-the-fact is too late. A message arrives on Monday. By Tuesday a new pattern has come out. Scanning the inbox finds the virus in the message that came in on Monday. Your manager thinks you are a credit to his department, you get a commendation and are put in for a raise. Day zero is a race. Don't think you're always going to win it. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Dennis Peterson wrote: I've been following this discussion for the past few days, and I got to ask why scan an mbox file in the first place? I realize that if one does choose to scan an mbox file, then the scanner should do the right thing and consider each message within the mbox as a separate file. However, if one is scanning messages at transport time, why would they need to scan the mbox file? If one is not scanning at transport time, then since the infected message has already been delivered, it could very well be that it has also executed it's payload and scanning the mbox file after-the-fact is too late. A message arrives on Monday. By Tuesday a new pattern has come out. Scanning the inbox finds the virus in the message that came in on Monday. Your manager thinks you are a credit to his department, you get a commendation and are put in for a raise. Day zero is a race. Don't think you're always going to win it. Agreed, but virus scanning, like spam filtering, is a best effort service. If one has hundreds of thousands of users, I can't imagine that the resources necessary to scan all of those mbox files (many of which can be quite large) can be worth the effort. At some point you have to pass the responsibility onto the end user (personal virus scanner, updated regularly), otherwise you make yourself liable for their actions/mistakes. I would not want to assume any more responsibility for viruses getting through to end users then the virus vendors themselves are assuming. Otherwise you are setting yourself up for some real problems. Just my unsolicited 2 cents... Bill ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Dennis Peterson wrote: Joao S Veiga wrote: Hi John, think long and hard about the combination of payments and entities which are reduced to using numeric IPs in URLs. I suspect my business goes elsewhere. Agreed :-), but the problem is (and what has caused most of my problems) that if you have an email with the Subject: Pagamento in your mailbox file, then receive another one with the numeric href, clamav will say your mailbox is infected - it doesn't matter that the two parts of the signature are in different emails. This problem is also being discussed in the Getting line numbers thread. The Email.FreeGame pattern demonstrates the very bad idea of using unanchored wildcard expressions in regex searches. If the software is not working on an extracted copy of each message found in the mbox then all such unanchored searches will crawl to the end of the mbox file with each invocation and in very many cases that is a lot of file to be crawling. If clamav is not treating mbox files as tables of rfc-822 messages then it is a pretty poor choice of tools for scanning them. I've been following this discussion for the past few days, and I got to ask why scan an mbox file in the first place? I realize that if one does choose to scan an mbox file, then the scanner should do the right thing and consider each message within the mbox as a separate file. However, if one is scanning messages at transport time, why would they need to scan the mbox file? If one is not scanning at transport time, then since the infected message has already been delivered, it could very well be that it has also executed it's payload and scanning the mbox file after-the-fact is too late. Bill ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Hi Dennis and others, thanks for pointing out that this has been discussed already. Sorry about that; I only searched for Email.FreeGame and got to this thread (I wasn't subscribing). Hi Bill, If one is not scanning at transport time, then since the infected message has already been delivered, it could very well be that it has also executed it's payload and scanning the mbox file after-the-fact is too late. better late than never :-/ I do scan mails on arrival at the mail server, but also do nightly scans on the mailserver and fileserver (webmail users have mailboxes on the mailserver, outlook users have .pst on the fileserver). Suppose for example that the user gets just-released malware, not yet in the signature database. It passes by the mailserver scan unharmed, but when it does get in the signatures database, at least I'll know that this and that guy were exposed, if they still have the mail in their mailboxes. There is also a good chance that they haven't bought it (I have done a good job making them all very paranoid), so they didn't open/executed/fell for the bait, or that the malware is still sitting in their mail spool over the weekend unopened. BR, Joao S Veiga ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Hi, If one has hundreds of thousands of users, I only have 50 users; I can put those wasted watts to work at night when the servers are idle. At some point you have to pass the responsibility onto the end user (personal virus scanner, updated regularly), otherwise you make yourself liable for their actions/mistakes. Yet, you'll be liable for having passed the responsability for someone who makes mistakes :-D We have no resident virus scanner on the PCs. I do what I can in the server side, keep their windows up-to-date, and terrorize them into safe behavior. In 13 years, just 4 minor events (always from new, yet unterrorized users - I made them feel very liable after the events). BR, Joao S Veiga ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Wednesday October 03, 2007 at 02:16:30 (PM) Joao S Veiga wrote: If one has hundreds of thousands of users, I only have 50 users; I can put those wasted watts to work at night when the servers are idle. At some point you have to pass the responsibility onto the end user (personal virus scanner, updated regularly), otherwise you make yourself liable for their actions/mistakes. Yet, you'll be liable for having passed the responsability for someone who makes mistakes :-D We have no resident virus scanner on the PCs. I do what I can in the server side, keep their windows up-to-date, and terrorize them into safe behavior. In 13 years, just 4 minor events (always from new, yet unterrorized users - I made them feel very liable after the events). All mail is scanned at the server here also; however, each user also has a virus scanner on their machine. In our particular situation, Postfix and clamav are used to receive and scan the incoming mail. The majority of our users are employing WinXP machines with ZoneAlarm Suite installed. On several occasions, ZA has caught a virus that got passed Clamav. I personally believe that the use of two separate AV engines is far superior to just using one, updating it several times and rescanning the mail, especially since as was pointed out previously, by the time it is caught, it has probably all ready delivered its payload. Just my 2ยข. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Jon Wagoner - Red Cheetah wrote: Is there any way I can disable the check for Email.FreeGame? Is there any reason to suspect this file will ever contain a viable virus? If not then don't bother scanning it. Sorry I don't have an answer for your question. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] false positive of Email.FreeGame on MySQL DB
I'm not sure what the proper procedure is here. Clamav is detecting Email.FreeGame in two of the database files from my MySQL database (one .MYD and one .ibd). If I dump the contents as text and scan no virus is found, so apparently it's just something in the binary format of the DB triggering it. Clamd -V reports the version as ClamAV 0.91.2/4419/Fri Sep 28 02:36:28 2007. This table from the DB contains proprietary client information, so I can't just submit it for review as a false positive. One of the file is also 1.1GB so I don't think you'd want that anyway. Is there any way I can disable the check for Email.FreeGame? Jon Wagoner Red Cheetah Software ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Jon Wagoner - Red Cheetah wrote: Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Why does it seem that way to you ? It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. The session you run for system files can have different params than a session run in user space. Looks like you're trying to do it all with a single sweep. Not the way I'd do it, but it's a way. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Why does it seem that way to you ? I don't think scanning raw mysql database files is going to give usefull results. Myy gut is that you should in fact exclude them. If a database has specific content that could contain a virus and be a problem (is used to store e-mail or downloadable files), then I would think the only real way to do it is to write something to extract that data and scan it outside of the DB file, each one separately -- as if they were individual files. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Why does it seem that way to you ? It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, September 28, 2007 12:41 pm, Dennis Peterson said: Jon Wagoner - Red Cheetah wrote: Is there any way I can disable the check for Email.FreeGame? Is there any reason to suspect this file will ever contain a viable virus? If not then don't bother scanning it. Sorry I don't have an answer for your question. I'd assume since he is intentially scanning it, he means to scan it, normally... Is there a way to move Email.FreeGame to be classified as a 'Phishing' signature? It appears to be designed to catch emails pointing you to bad sites, which is the defintion of a phish as far as I'm aware... Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, September 28, 2007 12:41 pm, Dennis Peterson said: Jon Wagoner - Red Cheetah wrote: Is there any way I can disable the check for Email.FreeGame? Is there any reason to suspect this file will ever contain a viable virus? If not then don't bother scanning it. Sorry I don't have an answer for your question. I'd assume since he is intentially scanning it, he means to scan it, normally... Is there a way to move Email.FreeGame to be classified as a 'Phishing' signature? It appears to be designed to catch emails pointing you to bad sites, which is the defintion of a phish as far as I'm aware... Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Jon Wagoner ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I would not exclude *.MYD globally. However: I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. Users should not be able to write to that directory at all, it should be owned/group mysql. If someone did put a virus there you would probably have a bigger problem - namely that mysql had been hacked. Clamd is for scanning specific things, and I don't think mysql db files is one of them. Not that verifying the integrity of your mysql files isn't a good idea, but I think it will take more than clam to do it. Off the top of my head you would want to look for named files that don't belong. After that, a DB integrity check (a good idea anyway) would find other files pretending to be DB files, as they would fail. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I would not exclude *.MYD globally. However: I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. Users should not be able to write to that directory at all, it should be owned/group mysql. If someone did put a virus there you would probably have a bigger problem - namely that mysql had been hacked. Take a closer look, that's not the real mysql directory, just a subdirectory under the users home folder that would match the exclude for the real /var/lib/mysql. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: hidden in /home/someuser/var/lib/mysql/my-virus-here. Users should not be able to write to that directory at all, it should be Take a closer look, that's not the real mysql directory, just a subdirectory under the users home folder that would match the exclude for the real /var/lib/mysql. --exclude-dir is listed as taking a regex, so if you --exlucde=^/var/lib/mysql/ You should be fine. I see now though -- if it was a simple substring (or if the current --help output is wrong) that would be a problem. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
