Re: [clamav-users] Malwarepatrol false positives

2018-04-29 Thread Micah Snyder (micasnyd) 
My mistake, Steve.  I saw them listed at the bottom of your signatures page 
(https://sanesecurity.com/usage/signatures/) and neglected to read the "and 
distributed by" portion.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Apr 29, 2018, at 11:34 AM, Steve Basford 
mailto:steveb_cla...@sanesecurity.com>> wrote:


On Sun, April 29, 2018 3:29 am, Micah Snyder (micasnyd) wrote:
What I think Joel is saying is that your MBL signatures are coming
through SaneSecurity, not from Cisco/Talos official ClamAV rule set.


Hi Micah,

MBL signatures are produced and distributed by MalwarePatrol, nothing to
do with Sanesecurity.

MalwarePatrol can be added as an option from the main download script here:

https://github.com/extremeshok/clamav-unofficial-sigs

MalwarePatrol FP's can be reported here:  fp (_a_t_) malwarepatrol.net

On the Sanesecurity mirrors, sigwhitelist.ign2 has the following whitelist
entries:

MBL_6882958
MBL_6888621
MBL_6913896

So, that might help a little until they fix the issues.

--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-29 Thread Steve Basford 

On Sun, April 29, 2018 3:29 am, Micah Snyder (micasnyd) wrote:
> What I think Joel is saying is that your MBL signatures are coming
> through SaneSecurity, not from Cisco/Talos official ClamAV rule set.
>
>
Hi Micah,

MBL signatures are produced and distributed by MalwarePatrol, nothing to
do with Sanesecurity.

MalwarePatrol can be added as an option from the main download script here:

https://github.com/extremeshok/clamav-unofficial-sigs

MalwarePatrol FP's can be reported here:  fp (_a_t_) malwarepatrol.net

On the Sanesecurity mirrors, sigwhitelist.ign2 has the following whitelist
entries:

MBL_6882958
MBL_6888621
MBL_6913896

So, that might help a little until they fix the issues.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Benny Pedersen 

Alex skrev den 2018-04-29 03:24:


That shouldn’t be part of the official ruleset.

Really?


bit.ly have abuse handling, so its hard to report if its rejected


No one uses bit.ly for a legitimate purposes?


is this a question ?


I don't mean for that to sound sarcastic - I really don't know.
Everyone's heard of / uses bit.ly I thought...


dont use malwarepatrol, thats all
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Vincent Fox 
I've had to exempt 4 MBL sigs in 24 hours.  Where's the QC?

I'm on a knife edge about just dropping MBL.



From: clamav-users  on behalf of Alex 

Sent: Friday, April 27, 2018 8:22:05 PM
To: ClamAV users ML
Subject: [clamav-users] Malwarepatrol false positives

Hi,

I can't imagine outright blocking https://goo.gl is not a mistake.

$ sigtool --find-sigs MBL_6888621 | sigtool --decode-sigs
VIRUS NAME: MBL_6888621
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://goo.gl

MBL_6882958 and MBL_6888621 both hit on https://goo.gl.

I've reported this to them hours ago and still no update so wanted to
be sure people knew about it here.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Micah Snyder (micasnyd) 
What I think Joel is saying is that your MBL signatures are coming through 
SaneSecurity, not from Cisco/Talos official ClamAV rule set.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Apr 28, 2018, at 9:24 PM, Alex 
mailto:mysqlstud...@gmail.com>> wrote:

Hi,

That shouldn’t be part of the official ruleset.

Really? No one uses bit.ly for a legitimate purposes?

I don't mean for that to sound sarcastic - I really don't know.
Everyone's heard of / uses bit.ly I thought...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Alex 
Hi,

> That shouldn’t be part of the official ruleset.

Really? No one uses bit.ly for a legitimate purposes?

I don't mean for that to sound sarcastic - I really don't know.
Everyone's heard of / uses bit.ly I thought...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Joel Esler (jesler) 
That shouldn’t be part of the official ruleset.  

Sent from my iPhone

> On Apr 28, 2018, at 17:32, Alex  wrote:
> 
> Hi,
> 
> So I decided to check which MBL hits there were today, and it seems
> they're now blocking https://bit.ly
> 
> $ sigtool --find-sigs MBL_6913896 |sigtool --decode-sigs
> VIRUS NAME: MBL_6913896
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> https://bit.ly
> 
> I'm beginning to think I've made a mistake with this vendor...
> 
> 
>> On Sat, Apr 28, 2018 at 2:26 AM, Gene Heskett  wrote:
>>> On Saturday 28 April 2018 01:06:38 Steve Basford wrote:
>>> 
>>> Hi Alex...
>>> 
>>> I've whitelisted the two sigs... until they fix them.. so that might
>>> help a little.
>>> 
>>> Cheers,
>>> 
>>> Steve
>>> Twitter: @sanesecurity
>>> On 28 April 2018 04:23:51 Alex  wrote:
>>> 
>>> Hi,
>>> 
>>> I can't imagine outright blocking https://goo.gl is not a mistake.
>>> 
>>> MBL_6882958 and MBL_6888621 both hit on https://goo.gl.
>>> 
>> 
>> its affecting my incoming traffic, mail traffic is down about 80% since
>> yesterday sometime. And its not being blocked here according to my
>> clamav logs. Nor apparently at shentel.net either, my isp.
>> 
>> --
>> Cheers, Gene Heskett
>> --
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> Genes Web page 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Alex 
Hi,

So I decided to check which MBL hits there were today, and it seems
they're now blocking https://bit.ly

$ sigtool --find-sigs MBL_6913896 |sigtool --decode-sigs
VIRUS NAME: MBL_6913896
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://bit.ly

I'm beginning to think I've made a mistake with this vendor...


On Sat, Apr 28, 2018 at 2:26 AM, Gene Heskett  wrote:
> On Saturday 28 April 2018 01:06:38 Steve Basford wrote:
>
>> Hi Alex...
>>
>> I've whitelisted the two sigs... until they fix them.. so that might
>> help a little.
>>
>> Cheers,
>>
>> Steve
>> Twitter: @sanesecurity
>> On 28 April 2018 04:23:51 Alex  wrote:
>>
>> Hi,
>>
>> I can't imagine outright blocking https://goo.gl is not a mistake.
>>
>> MBL_6882958 and MBL_6888621 both hit on https://goo.gl.
>>
>
> its affecting my incoming traffic, mail traffic is down about 80% since
> yesterday sometime. And its not being blocked here according to my
> clamav logs. Nor apparently at shentel.net either, my isp.
>
> --
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
>  soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-27 Thread Gene Heskett 
On Saturday 28 April 2018 01:06:38 Steve Basford wrote:

> Hi Alex...
>
> I've whitelisted the two sigs... until they fix them.. so that might
> help a little.
>
> Cheers,
>
> Steve
> Twitter: @sanesecurity
> On 28 April 2018 04:23:51 Alex  wrote:
>
> Hi,
>
> I can't imagine outright blocking https://goo.gl is not a mistake.
>
> MBL_6882958 and MBL_6888621 both hit on https://goo.gl.
>

its affecting my incoming traffic, mail traffic is down about 80% since 
yesterday sometime. And its not being blocked here according to my 
clamav logs. Nor apparently at shentel.net either, my isp.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-27 Thread Steve Basford 

Hi Alex...

I've whitelisted the two sigs... until they fix them.. so that might help a 
little.


Cheers,

Steve
Twitter: @sanesecurity
On 28 April 2018 04:23:51 Alex  wrote:

Hi,

I can't imagine outright blocking https://goo.gl is not a mistake.

MBL_6882958 and MBL_6888621 both hit on https://goo.gl.



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Malwarepatrol false positives

2018-04-27 Thread Alex 
Hi,

I can't imagine outright blocking https://goo.gl is not a mistake.

$ sigtool --find-sigs MBL_6888621 | sigtool --decode-sigs
VIRUS NAME: MBL_6888621
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://goo.gl

MBL_6882958 and MBL_6888621 both hit on https://goo.gl.

I've reported this to them hours ago and still no update so wanted to
be sure people knew about it here.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml