On Thursday 06 February 2014 06:31:40 Steve Basford did opine: > > The daily system scan is fussing about > > /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: > > MBL_400944.UNOFFICIAL FOUND > > Hi, > > Just seen your post on LKML, so before this get's any more out of hand > than it already has, here's why you'll find MBL_400944 detected in > gadget_multi.txt. > > Background: > > MBL signatures (malwarepatrol.net) are Third Party addon signatures to > ClamAV. While they have the ".UNOFFICIAL" at then end of the signature > name, they aren't distributed on the Sanesecurity mirrors and are out of > my control. > > Research: > > Having registered with MBL to download their delayed signatures, I > checked to see what the MBL_400944 signature is actually trying to > match, so save anyone doing this it's: > > MBL_400944=7777772e6e6972736f66742e6e65742f7574696c73 > > which decodes to: > > www DOT nirsoft DOT net/utils > (change the DOT to .) > > Now let's take a look at the current kernel document: > https://www.kernel.org/doc/Documentation/usb/gadget_multi.txt > > The document contains the following text: > > "* Footnotes > > [8] http://www DOT nirsoft DOT net/utils/usb_devices_view.html" > (change the DOT to .) > > > So, if you scan gadget_multi.txt, using the MBL signatures, you will > *always* find it gets detected as MBL_400944. > > If you: > > grep "nirsoft" > /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt > > You'll see that the text, matches the text MBL_400944 is looking for. > > In short: > > a) there's isn't any malware in gadget_multi.txt on their website > b) there's isn't any malware in the gadget_multi.txt's on your system > c) It's a false positive and should be report to MBL as such
And their contact address is? > d) Where's my coffee ;) This last is my question too, just woke up, so its safe to say I have one eye open simultaneously. And I haven't loaded the Mr Coffee yet. So it didn't do any good for me to make a test case and take about 20 spaces out of the top line as I'll still get the report. I was thinking it was the md5sum on the whole file, thanks for the clarification. Now, since the real thing is considered a high level threat to a win32 system, perhaps the thing to do is edit the .'s to DOT's, make a patch and submit it to lkml? I might see if its accepted. But after I am awake for the day, right now I am playing the good geek, who when he get up to pee, checks his email before going back to bed. :) 10 minutes to 7 is not a civilized time of the day for a type B. > Cheers, > > Steve > Sanesecurity.com Thanks Steve, for a cogent, step by step explanation. Cheers, Gene -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> NOTICE: Will pay 100 USD for an HP-4815A defective but complete probe assembly. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
