Hi, > Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails > quarantined with > the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an > attachment of a > Google Drive folder. I reported this to the false positive at SaneSecurity > address. I also added the > signature to a file called /var/lib/clamav/sigwhitelist.ign2 > > Is there a way to verify that the signature itself was fixed?
I have been hit by the same problem. I tried to talk to Malware Patrol, but the answer was "this is it". As I update the Clamav unofficial signatures with clamav-unofficial-sigs.sh I did the following: - in clamav-unofficial-sigs configuration (in the file user.conf) I added the following to call an external script before reloading ClamAV: clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl" - I created a directory where I will do the temp work (that is FreeBSD directory structure): /var/db/clamav-unofficial-sigs/post-control - I created the following script that looks for signatures corresponding to https://drive.google.com and remove them: #!/usr/local/bin/perl # malware Patrol has listed the URL https://drive.google.com as the # signature of a virus. This causes any email that has a link to # a Google document to be quarantined. # This hack is there to remove that signature from Malware Patrol # pattern file. # It is called by the hoock defined in the variable $clamd_reload_opt # (in user.conf) # - copy, modify and reinstall Malware Patrol signature file; # - send a reload command to clamav-clamd sub do_magic { # print "hello\n"; # move the file in the temp directory link "../malwarepatrol.ndb", "malwarepatrol.ndb"; unlink "../malwarepatrol.ndb"; # clean the file open IN, "malwarepatrol.ndb"; open OUT, ">malwarepatrol-cln.ndb"; while (<IN>) { chop; # the following regex corresponds to https://drive.google.com next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; print OUT "$_\n"; } close IN; close OUT; unlink "malwarepatrol.ndb"; link "malwarepatrol-cln.ndb", "../malwarepatrol.ndb"; unlink "malwarepatrol-cln.ndb"; chown 110, 110, "../malwarepatrol.ndb"; unlink "../../clamav/malwarepatrol.ndb"; link "../malwarepatrol.ndb", "../../clamav/malwarepatrol.ndb"; chown 110, 110, "../../clamav/malwarepatrol.ndb"; system "logger -p mail.warning calamav-unofficial triggered reading database /var/db/clamav"; system "clamdscan --reload"; } # Lets move to the temp directory, so it does not have to be done later chdir "/var/db/clamav-unofficial-sigs/post-control"; &do_magic; exit; ############################ Notes: - there may be the need for one more change to clamav-unofficial-sigs.sh, that I don't remember from the top of my head. But maybe not and defining clamd_reload_opt is enough - Malware Patrol has problem with their signatures for SpamAssassin too, regularly they will be missing a ] at the end of a regex and SA would not lint. I had to throw another workaround to get around that. - because of reason (educational, I don't really remember), I get Malware Patrol for free, so I will not push the issue with them and am very grateful for the help them provide me protecting my users from the miscreant. Best regards, Olivier _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
