Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On 18 September 2018 16:33:28 Paul Stead  wrote:


Yet another Malwarepatrol FP:

MBL_14437114


White listing as we speak... Sigh
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Paul Stead]

Yet another Malwarepatrol FP:

MBL_14437114 - https://drive.google.com

--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk

Winner of 'Services Company of the Year' at the UK IT Industry Awards

This message is private and confidential. If you have received this message in 
error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to 
handle customer enquiries and for the prevention and detection of fraud. We may 
also monitor the content of emails sent to and/or from Zen Internet Limited for 
the purposes of security, staff training and to monitor quality of service.

Zen Internet Limited is registered in England and Wales, Sandbrook Park, 
Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On 4 September 2018 18:52:04 Mark G Thomas  wrote:


Hi,

Good grief! Yet another.  So much for Malware patrol!


Sigh.



# sigtool --find-sigs MBL_13497693|  sigtool --decode-sigs


Pushing out a whitelist entry to the mirrors as I type.

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Mark G Thomas]

Hi,

Good grief! Yet another.  So much for Malware patrol!

# sigtool --find-sigs MBL_13497693|  sigtool --decode-sigs
VIRUS NAME: MBL_13497693
DECODED SIGNATURE:
https://drive.google.com

Mark


On Fri, Aug 31, 2018 at 06:25:10PM +0100, Steve Basford wrote:
> 
> On 31 August 2018 17:52:26 Mark G Thomas  wrote:
> 
> >Hi,
> >
> >And YET ANOTHER today. I figured others here might want the heads up.
> >
> >[root@imx0 conf]# sigtool --find-sigs MBL_13226139 |  sigtool --decode-sigs
> 
> Sigh.
> 
> I've just added to the main Sansecurity whitelist.
> 
> Thanks for the heads up.
> 
> Cheers,
> 
> Steve
> Twitter: @sanesecurity

-- 
Mark G. Thomas (m...@misty.com), KC3DRE
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Benny Pedersen]

Kris Deugau skrev den 2018-08-31 19:44:

Benny Pedersen wrote:

why is https even blocked ? :(

please whitelist https signatures


There's no reason a hacked HTTPS website couldn't host malware.  And
there's no reason a spam domain couldn't get a certificate (from Let's
Encrypt, or somewhere else) if they carefully time their actions.


https links could not be reported to the signer ?

but yes its to simple to make https links without payments at all

time to block signers if thats possible
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Kris Deugau]

Benny Pedersen wrote:

why is https even blocked ? :(

please whitelist https signatures


There's no reason a hacked HTTPS website couldn't host malware.  And 
there's no reason a spam domain couldn't get a certificate (from Let's 
Encrypt, or somewhere else) if they carefully time their actions.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On 31 August 2018 17:52:26 Mark G Thomas  wrote:


Hi,

And YET ANOTHER today. I figured others here might want the heads up.

[root@imx0 conf]# sigtool --find-sigs MBL_13226139 |  sigtool --decode-sigs


Sigh.

I've just added to the main Sansecurity whitelist.

Thanks for the heads up.

Cheers,

Steve
Twitter: @sanesecurity



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Benny Pedersen]

Mark G Thomas skrev den 2018-08-31 18:51:


And YET ANOTHER today. I figured others here might want the heads up.

[root@imx0 conf]# sigtool --find-sigs MBL_13226139 |  sigtool 
--decode-sigs


VIRUS NAME: MBL_13226139
DECODED SIGNATURE:
https://linkprotect.cudasvc.com/url


why is https even blocked ? :(

please whitelist https signatures
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Mark G Thomas]

Hi,

And YET ANOTHER today. I figured others here might want the heads up.

[root@imx0 conf]# sigtool --find-sigs MBL_13226139 |  sigtool --decode-sigs

VIRUS NAME: MBL_13226139
DECODED SIGNATURE:
https://linkprotect.cudasvc.com/url

-Mark

On Wed, Aug 29, 2018 at 09:12:34PM +0100, Steve Basford wrote:
> Had a reply back regarding the false positives
> 
> 
> Hello,
> ?
> ?Thank you for contacting us and for reporting potential problems
> with our ClamAV signatures. The two entries mentioned were removed
> from the block lists and data feeds a few days ago. Our users and
> customers should be able to download new versions of the feeds
> according to their subscriptions.
> ?
> ?Our means of communication for reporting problems or to ask for
> assistance is via this email address: supp...@malwarepatrol.net.
> We'd appreciate if you could direct anybody with inquiries to
> directly contact us.
> ?
> ?Once again, thank you for reporting this issue.
> ?
> ?Regards,
> ?
> ?Luciana
> ?Malware Patrol Team

-- 
Mark G. Thomas (m...@misty.com), KC3DRE
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Reindl Harald]

Am 27.08.2018 um 20:16 schrieb Mark G Thomas:
> This seems to be an ongoing trend.
> 
> I can't believe someone thought this would be a good idea!
> 
> # sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
> VIRUS NAME: MBL_13087222
> DECODED SIGNATURE:
> https://docs.google.com

that happens when you let users which are mostly idiots submit samples
without proper review and in doubt ignore, be it bayes, uribl or signatures
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

Had a reply back regarding the false positives


Hello,
?
?Thank you for contacting us and for reporting potential problems with our 
ClamAV signatures. The two entries mentioned were removed from the block 
lists and data feeds a few days ago. Our users and customers should be able 
to download new versions of the feeds according to their subscriptions.

?
?Our means of communication for reporting problems or to ask for assistance 
is via this email address: supp...@malwarepatrol.net. We'd appreciate if 
you could direct anybody with inquiries to directly contact us.

?
?Once again, thank you for reporting this issue.
?
?Regards,
?
?Luciana
?Malware Patrol Team


So if anyone else sees FPs the above email should be a starting point.

Cheers,

Steve
Twitter: @sanesecurity
On 29 August 2018 18:52:31 "Steve Basford"  
wrote:



On Tue, August 21, 2018 12:31 pm, Al Varnell wrote:

OK, I don't think there is anything that ClamAV can do about it since
it's an UNOFFICIAL.

Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.


I've just sent them an email and a contract form entry on the issues we've
been seeing of late... basically asking them to improve their quality
control and not giving other 3rd party signatures or indeed ClamAV a bad
name.

Not sure if it'll help but we'll see.

FPs will happen... but it's about freqency of them... and how quickly they
get fixed that's the key issue.

--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On Tue, August 21, 2018 12:31 pm, Al Varnell wrote:
> OK, I don't think there is anything that ClamAV can do about it since
> it's an UNOFFICIAL.
>
> Maybe Steve Basford from SaneSecurity can put some pressure on them. He
> usually reads what's posted here.

I've just sent them an email and a contract form entry on the issues we've
been seeing of late... basically asking them to improve their quality
control and not giving other 3rd party signatures or indeed ClamAV a bad
name.

Not sure if it'll help but we'll see.

FPs will happen... but it's about freqency of them... and how quickly they
get fixed that's the key issue.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Mark G Thomas]

Hi,

Apparently the cudasvc.com URLs are a function of Barracuda for their
customers, replacing dangerous public URLs in messages with private 
links to barracuda-hosted warnings or screening pages, to prevent 
customers from receiving and following original potentially malicious URLs.

Microsoft has a simlar service:  safelinks.protection.outlook.com

It seems to me there are all sorts of negative consequences to altering
message content in this way, however that's poor excuse for adding such 
URLs to a publically distributed virus filter rule.

Mark

On Tue, Aug 28, 2018 at 07:45:09AM +0200, lukn wrote:
> Hi
> 
> cudasvc was recently listed on Spamhaus' DBL. Looks like Barracuda has
> some kind of issues with their service.
> The other question is, why do people use such link cloakers?
> 
> 
> On 27.08.2018 22:44, Mark G Thomas wrote:
> > Hi,
> > 
> > But, there are more. This is nuts.
> > 
> > # sigtool --find-sigs MBL_13112740 | sigtool --decode-sigs
> > VIRUS NAME: MBL_13112740
> > DECODED SIGNATURE:
> > https://linkprotect.cudasvc.com/url
> > 
> > Mark
> > 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-- 
Mark G. Thomas (m...@misty.com), KC3DRE
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[lukn]

Hi

cudasvc was recently listed on Spamhaus' DBL. Looks like Barracuda has
some kind of issues with their service.
The other question is, why do people use such link cloakers?


On 27.08.2018 22:44, Mark G Thomas wrote:
> Hi,
> 
> But, there are more. This is nuts.
> 
> # sigtool --find-sigs MBL_13112740 | sigtool --decode-sigs
> VIRUS NAME: MBL_13112740
> DECODED SIGNATURE:
> https://linkprotect.cudasvc.com/url
> 
> Mark
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Mark G Thomas]

Hi,

But, there are more. This is nuts.

# sigtool --find-sigs MBL_13112740 | sigtool --decode-sigs
VIRUS NAME: MBL_13112740
DECODED SIGNATURE:
https://linkprotect.cudasvc.com/url

Mark

On Mon, Aug 27, 2018 at 07:41:27PM +0100, Steve Basford wrote:
> Just whitelisted for those using download scripts.. using the ign2
> file on the Sanesecurity mirrors.
> 
> Cheers,
> 
> Steve
> Twitter: @sanesecurity
> On 27 August 2018 19:16:49 Mark G Thomas  wrote:
> 
> >Hi,
> >
> >This seems to be an ongoing trend.
> >
> >I can't believe someone thought this would be a good idea!
> >
> >   # sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
> >   VIRUS NAME: MBL_13087222
> >   DECODED SIGNATURE:
> >   https://docs.google.com
> >
> >
> >On Tue, Aug 21, 2018 at 04:31:28AM -0700, Al Varnell wrote:
> >>OK, I don't think there is anything that ClamAV can do about it since
> >>it's an UNOFFICIAL.
> >>Maybe Steve Basford from SaneSecurity can put some pressure on them. He
> >>usually reads what's posted here.
> >>-Al-
> >>On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote:
> >>
> >>They did this in April, 2017 also.  When I reported it as a false
> >>positive at that time, they responded with:
> >>"Thank you for contacting us.  There is a file hosted there with a
> >>vague
> >>AV classification.  After further reviewing it, we've decided to remove
> >>the URL from our block lists and data feeds."
> >>I'm beginning to get the feeling they don't have any type of review
> >>process in place.
> >>On Mon, 20 Aug 2018, Al Varnell wrote:
> >>
> >>Submit to fp (at) [1]malwarepatrol.net.
> >>-Al-
> >>On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:
> >>
> >>Hi, fyi
> >># sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
> >>VIRUS NAME: MBL_12952716
> >>TARGET TYPE: ANY FILE
> >>OFFSET: *
> >>DECODED SIGNATURE:
> >>[2]https://drive.google.com
> >
> >
> >
> >
> >--
> >Mark G. Thomas (m...@misty.com), KC3DRE
> >___
> >clamav-users mailing list
> >clamav-users@lists.clamav.net
> >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> >Help us build a comprehensive ClamAV guide:
> >https://github.com/vrtadmin/clamav-faq
> >
> >http://www.clamav.net/contact.html#ml
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-- 
Mark G. Thomas (m...@misty.com), KC3DRE
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

Just whitelisted for those using download scripts.. using the ign2 file on 
the Sanesecurity mirrors.


Cheers,

Steve
Twitter: @sanesecurity
On 27 August 2018 19:16:49 Mark G Thomas  wrote:


Hi,

This seems to be an ongoing trend.

I can't believe someone thought this would be a good idea!

   # sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
   VIRUS NAME: MBL_13087222
   DECODED SIGNATURE:
   https://docs.google.com


On Tue, Aug 21, 2018 at 04:31:28AM -0700, Al Varnell wrote:

OK, I don't think there is anything that ClamAV can do about it since
it's an UNOFFICIAL.
Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.
-Al-
On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote:

They did this in April, 2017 also.  When I reported it as a false
positive at that time, they responded with:
"Thank you for contacting us.  There is a file hosted there with a
vague
AV classification.  After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."
I'm beginning to get the feeling they don't have any type of review
process in place.
On Mon, 20 Aug 2018, Al Varnell wrote:

Submit to fp (at) [1]malwarepatrol.net.
-Al-
On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:

Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
[2]https://drive.google.com





--
Mark G. Thomas (m...@misty.com), KC3DRE
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Mark G Thomas]

Hi,

This seems to be an ongoing trend.

I can't believe someone thought this would be a good idea!

# sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
VIRUS NAME: MBL_13087222
DECODED SIGNATURE:
https://docs.google.com


On Tue, Aug 21, 2018 at 04:31:28AM -0700, Al Varnell wrote:
>OK, I don't think there is anything that ClamAV can do about it since
>it's an UNOFFICIAL.
>Maybe Steve Basford from SaneSecurity can put some pressure on them. He
>usually reads what's posted here.
>-Al-
>On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote:
> 
>They did this in April, 2017 also.  When I reported it as a false
>positive at that time, they responded with:
>"Thank you for contacting us.  There is a file hosted there with a
>vague
>AV classification.  After further reviewing it, we've decided to remove
>the URL from our block lists and data feeds."
>I'm beginning to get the feeling they don't have any type of review
>process in place.
>On Mon, 20 Aug 2018, Al Varnell wrote:
> 
>  Submit to fp (at) [1]malwarepatrol.net.
>  -Al-
>  On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:
> 
>  Hi, fyi
>  # sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
>  VIRUS NAME: MBL_12952716
>  TARGET TYPE: ANY FILE
>  OFFSET: *
>  DECODED SIGNATURE:
>  [2]https://drive.google.com




-- 
Mark G. Thomas (m...@misty.com), KC3DRE
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Alex]

On Tue, Aug 21, 2018 at 9:02 AM Steve Basford
 wrote:
> On Tue, August 21, 2018 12:27 pm, Dave McMurtrie wrote:
> >
> > I'm beginning to get the feeling they don't have any type of review
> > process in place.
>
> I whitelisted the sig on the Sanesecurity mirrors this morning UK time:
>
> 21/08/2018 @ 11:37
>
> It's usually quicker to do that, if not ideal.

Thank you, as always. I should also add that I submitted this to
malwarepatrol prior to posting here - it was important enough that all
clamav users should be made aware so people can whitelist the rule
quickly.

I also believe they don't have any type of quality control. They're
also intermittently responsive to support requests and have frequent
database download problems.


>
>
> --
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On Tue, August 21, 2018 12:27 pm, Dave McMurtrie wrote:
>
> I'm beginning to get the feeling they don't have any type of review
> process in place.

I whitelisted the sig on the Sanesecurity mirrors this morning UK time:

21/08/2018 @ 11:37

It's usually quicker to do that, if not ideal.


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Arnaud Jacques]

Hello,

Do it yourself:
https://www.securiteinfo.com/services/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml

Btw, users/customers of 
https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml 
have no problem because the signature has been included in 
securiteinfo.ign2.


Le 21/08/2018 à 13:31, Al Varnell a écrit :
OK, I don't think there is anything that ClamAV can do about it since 
it's an UNOFFICIAL.


Maybe Steve Basford from SaneSecurity can put some pressure on them. He 
usually reads what's posted here.


-Al-

On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote:
They did this in April, 2017 also.  When I reported it as a false 
positive at that time, they responded with:


"Thank you for contacting us.  There is a file hosted there with a vague
AV classification.  After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."

I'm beginning to get the feeling they don't have any type of review 
process in place.



On Mon, 20 Aug 2018, Al Varnell wrote:


Submit to fp (at) malwarepatrol.net .

-Al-

On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:

Hi, fyi

# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://drive.google.com



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Al Varnell]

OK, I don't think there is anything that ClamAV can do about it since it's an 
UNOFFICIAL. 

Maybe Steve Basford from SaneSecurity can put some pressure on them. He usually 
reads what's posted here.

-Al-

On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote:
> They did this in April, 2017 also.  When I reported it as a false positive at 
> that time, they responded with:
> 
> "Thank you for contacting us.  There is a file hosted there with a vague
> AV classification.  After further reviewing it, we've decided to remove
> the URL from our block lists and data feeds."
> 
> I'm beginning to get the feeling they don't have any type of review process 
> in place.
> 
> 
> On Mon, 20 Aug 2018, Al Varnell wrote:
> 
>> Submit to fp (at) malwarepatrol.net .
>> 
>> -Al-
>> 
>> On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:
>>> Hi, fyi
>>> 
>>> # sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
>>> VIRUS NAME: MBL_12952716
>>> TARGET TYPE: ANY FILE
>>> OFFSET: *
>>> DECODED SIGNATURE:
>>> https://drive.google.com 

smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Dave McMurtrie]

They did this in April, 2017 also.  When I reported it as a false positive 
at that time, they responded with:


"Thank you for contacting us.  There is a file hosted there with a vague
AV classification.  After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."

I'm beginning to get the feeling they don't have any type of review 
process in place.



On Mon, 20 Aug 2018, Al Varnell wrote:


Submit to fp (at) malwarepatrol.net.

-Al-

On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:

Hi, fyi

# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://drive.google.com



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Al Varnell]

Submit to fp (at) malwarepatrol.net.

-Al-

On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:
> Hi, fyi
> 
> # sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
> VIRUS NAME: MBL_12952716
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> https://drive.google.com


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Malwarepatrol false positive

[Alex]

Hi, fyi

# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://drive.google.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml