Email.Phishing.RPMSG_Downloader-10004958-0 has been dropped. Thanks for sending the FP report our way.
On Fri, Jul 14, 2023 at 7:42 PM Alex via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi, > > I'm using clamav-0.103.8 on fedora37 with the current daily update and > have received a false positive involving the RPMSG secure download that's > apparently part of office365. > > For some reason the fp is in the body of the message, not the > message_v2.rpmsg attachment. Here is the entire message: > > https://drive.google.com/file/d/1ZImepnB_U5_pI0CXRhWm8nlKVCPCFnw3/view?usp=sharing > > Here's the sigtool output. Is this in fact a false positive? > > $ sigtool --find-sigs Email.Phishing.RPMSG_Downloader-10004958-0|sigtool > --decode-sigs > VIRUS NAME: Email.Phishing.RPMSG_Downloader-10004958-0 > TDB: Engine:90-255,Target:4 > LOGICAL EXPRESSION: 0&(1|2)&((3|4|5|6|7|8|9)>4,4)&10&11 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Content-Disposition: > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > has sent you a protected message. > * SUBSIG ID 2 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > .office365.com/Encryption/lock.png > * SUBSIG ID 3 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > <a href= > =3D"https:// > * SUBSIG ID 4 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > outlook > * SUBSIG ID 5 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > .office365.com > * SUBSIG ID 6 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > /Encryption/ > * SUBSIG ID 7 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > retrieve.ashx? > * SUBSIG ID 8 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > recipientemailaddress > * SUBSIG ID 9 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > ;senderemailaddress= > * SUBSIG ID 10 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > application/x-microsoft-rpmsg-message; > * SUBSIG ID 11 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > name="message_v{WILDCARD_IGNORE}.rpmsg" > > > _______________________________________________ > > Manage your clamav-users mailing list subscription / unsubscribe: > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/Cisco-Talos/clamav-documentation > > https://docs.clamav.net/#mailing-lists-and-chat > -- Christopher Marczewski Research Engineer, Talos Cisco Systems 443-832-2975
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat