On Tue, Nov 12, 2013 at 7:14 AM, Andreas Schulze <andreas.schu...@datev.de>wrote:
> Am 12.11.2013 12:59 schrieb Andreas Schulze: > > I found a fantastic fact! > +1 > > other samplemessage: > $ clamdscan falsepositive falsepositive.ok > /tmp/falsepositive: Worm.Bagle.H-zippwd-1 FOUND > /tmp/falsepositive.ok: OK > > ----------- SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.061 sec (0 m 0 s) > > $ diff falsepositive falsepositive.ok > 49c49 > < X-Spam-Note: SpamAssassin run bypassed due to message size > --- > > X-Spam-Note: SpamAssassin run bypAssed due to message size > > looks like a simple "pass" in lower case trigger the file as > Worm.Bagle.H-zippwd-1 > > Anyway: a working whitelisting option would still be nice :-) > > -- > Andreas Schulze > Internetdienste | P252 > > DATEV eG > 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 > E-Mail info @datev.de | Internet www.datev.de > Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, > GenReg Nr.70 > Vorstand > Prof. Dieter Kempf (Vorsitzender) > Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) > Dipl.-Kfm. Michael Leistenschneider > Dipl.-Kfm. Dr. Robert Mayr > Jörg Rabe v. Pappenheim > Dipl.-Vw. Eckhard Schwarzer > Vorsitzender des Aufsichtsrates: Reinhard Verholen > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > You can use the find-sigs option of sigtool to help find the signatures to help diagnose this in the future. clamav@debian-vm-07:~/clamav-devel$ sigtool --find-sigs=Worm.Bagle.H-zip [main.db] Worm.Bagle.H-zippwd-1 (Clam)=70617373*6170706c69636174696f6e2f6f637465742d73747265616d3b*6e616d653d*2e7a6970*0a5545734442416f414151414141*4141414141 What makes this one a special case is the extra " (Clam)" at the end of the signature name. This is an old sig. We do not use that naming convention for new signatures anymore. Still, the code is written to remove that specific string from the end of a signature name at load time but after the whitelist check. Change your ign2 file to ignore the full original signature name [in this case, "Worm.Bagle.H-zippwd-1 (Clam)"] and the signature should be ignored. Two side notes: 1) The same signature name function is what adds the ".UNOFFICIAL" at the end of signatures not packaged in a CVD file. 2) As you found, this signature is written with a case-sensitive match on "pass" in lowercase as the first content segment [which is the 70617373]. To trigger the alert, it has 5 more content matches which can occur anywhere later in the file. Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
