> The daily system scan is fussing about > /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND
Hi, Just seen your post on LKML, so before this get's any more out of hand than it already has, here's why you'll find MBL_400944 detected in gadget_multi.txt. Background: MBL signatures (malwarepatrol.net) are Third Party addon signatures to ClamAV. While they have the ".UNOFFICIAL" at then end of the signature name, they aren't distributed on the Sanesecurity mirrors and are out of my control. Research: Having registered with MBL to download their delayed signatures, I checked to see what the MBL_400944 signature is actually trying to match, so save anyone doing this it's: MBL_400944=7777772e6e6972736f66742e6e65742f7574696c73 which decodes to: www DOT nirsoft DOT net/utils (change the DOT to .) Now let's take a look at the current kernel document: https://www.kernel.org/doc/Documentation/usb/gadget_multi.txt The document contains the following text: "* Footnotes [8] http://www DOT nirsoft DOT net/utils/usb_devices_view.html" (change the DOT to .) So, if you scan gadget_multi.txt, using the MBL signatures, you will *always* find it gets detected as MBL_400944. If you: grep "nirsoft" /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt You'll see that the text, matches the text MBL_400944 is looking for. In short: a) there's isn't any malware in gadget_multi.txt on their website b) there's isn't any malware in the gadget_multi.txt's on your system c) It's a false positive and should be report to MBL as such d) Where's my coffee ;) Cheers, Steve Sanesecurity.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
