Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Benny Pedersen 

Alex skrev den 2018-04-29 03:24:


That shouldn’t be part of the official ruleset.

Really?


bit.ly have abuse handling, so its hard to report if its rejected


No one uses bit.ly for a legitimate purposes?


is this a question ?


I don't mean for that to sound sarcastic - I really don't know.
Everyone's heard of / uses bit.ly I thought...


dont use malwarepatrol, thats all
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Vincent Fox 
I've had to exempt 4 MBL sigs in 24 hours.  Where's the QC?

I'm on a knife edge about just dropping MBL.



From: clamav-users  on behalf of Alex 

Sent: Friday, April 27, 2018 8:22:05 PM
To: ClamAV users ML
Subject: [clamav-users] Malwarepatrol false positives

Hi,

I can't imagine outright blocking https://goo.gl is not a mistake.

$ sigtool --find-sigs MBL_6888621 | sigtool --decode-sigs
VIRUS NAME: MBL_6888621
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://goo.gl

MBL_6882958 and MBL_6888621 both hit on https://goo.gl.

I've reported this to them hours ago and still no update so wanted to
be sure people knew about it here.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Micah Snyder (micasnyd) 
What I think Joel is saying is that your MBL signatures are coming through 
SaneSecurity, not from Cisco/Talos official ClamAV rule set.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Apr 28, 2018, at 9:24 PM, Alex 
mailto:mysqlstud...@gmail.com>> wrote:

Hi,

That shouldn’t be part of the official ruleset.

Really? No one uses bit.ly for a legitimate purposes?

I don't mean for that to sound sarcastic - I really don't know.
Everyone's heard of / uses bit.ly I thought...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Alex 
Hi,

> That shouldn’t be part of the official ruleset.

Really? No one uses bit.ly for a legitimate purposes?

I don't mean for that to sound sarcastic - I really don't know.
Everyone's heard of / uses bit.ly I thought...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Joel Esler (jesler) 
That shouldn’t be part of the official ruleset.  

Sent from my iPhone

> On Apr 28, 2018, at 17:32, Alex  wrote:
> 
> Hi,
> 
> So I decided to check which MBL hits there were today, and it seems
> they're now blocking https://bit.ly
> 
> $ sigtool --find-sigs MBL_6913896 |sigtool --decode-sigs
> VIRUS NAME: MBL_6913896
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> https://bit.ly
> 
> I'm beginning to think I've made a mistake with this vendor...
> 
> 
>> On Sat, Apr 28, 2018 at 2:26 AM, Gene Heskett  wrote:
>>> On Saturday 28 April 2018 01:06:38 Steve Basford wrote:
>>> 
>>> Hi Alex...
>>> 
>>> I've whitelisted the two sigs... until they fix them.. so that might
>>> help a little.
>>> 
>>> Cheers,
>>> 
>>> Steve
>>> Twitter: @sanesecurity
>>> On 28 April 2018 04:23:51 Alex  wrote:
>>> 
>>> Hi,
>>> 
>>> I can't imagine outright blocking https://goo.gl is not a mistake.
>>> 
>>> MBL_6882958 and MBL_6888621 both hit on https://goo.gl.
>>> 
>> 
>> its affecting my incoming traffic, mail traffic is down about 80% since
>> yesterday sometime. And its not being blocked here according to my
>> clamav logs. Nor apparently at shentel.net either, my isp.
>> 
>> --
>> Cheers, Gene Heskett
>> --
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> Genes Web page 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Alex 
Hi,

So I decided to check which MBL hits there were today, and it seems
they're now blocking https://bit.ly

$ sigtool --find-sigs MBL_6913896 |sigtool --decode-sigs
VIRUS NAME: MBL_6913896
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://bit.ly

I'm beginning to think I've made a mistake with this vendor...


On Sat, Apr 28, 2018 at 2:26 AM, Gene Heskett  wrote:
> On Saturday 28 April 2018 01:06:38 Steve Basford wrote:
>
>> Hi Alex...
>>
>> I've whitelisted the two sigs... until they fix them.. so that might
>> help a little.
>>
>> Cheers,
>>
>> Steve
>> Twitter: @sanesecurity
>> On 28 April 2018 04:23:51 Alex  wrote:
>>
>> Hi,
>>
>> I can't imagine outright blocking https://goo.gl is not a mistake.
>>
>> MBL_6882958 and MBL_6888621 both hit on https://goo.gl.
>>
>
> its affecting my incoming traffic, mail traffic is down about 80% since
> yesterday sometime. And its not being blocked here according to my
> clamav logs. Nor apparently at shentel.net either, my isp.
>
> --
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
>  soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml