On Thursday 06 February 2014 06:31:40 Steve Basford did opine:

> > The daily system scan is fussing about
> > /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt:
> > MBL_400944.UNOFFICIAL FOUND
> 
> Hi,
> 
> Just seen your post on LKML, so before this get's any more out of hand
> than it already has, here's why you'll find MBL_400944 detected in
> gadget_multi.txt.
> 
> Background:
> 
> MBL signatures (malwarepatrol.net) are Third Party addon signatures to
> ClamAV.  While they have the ".UNOFFICIAL" at then end of the signature
> name, they aren't distributed on the Sanesecurity mirrors and are out of
> my control.
> 
> Research:
> 
> Having registered with MBL to download their delayed signatures, I
> checked to see what the MBL_400944 signature is actually trying to
> match, so save anyone doing this it's:
> 
> MBL_400944=7777772e6e6972736f66742e6e65742f7574696c73
> 
> which decodes to:
> 
> www DOT nirsoft DOT net/utils
> (change the DOT to .)
> 
> Now let's take a look at the current kernel document:
> https://www.kernel.org/doc/Documentation/usb/gadget_multi.txt
> 
> The document contains the following text:
> 
> "* Footnotes
> 
> [8] http://www DOT nirsoft DOT net/utils/usb_devices_view.html"
> (change the DOT to .)
> 
> 
> So, if you scan gadget_multi.txt, using the MBL signatures, you will
> *always* find it gets detected as MBL_400944.
> 
> If you:
> 
> grep "nirsoft"
> /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt
> 
> You'll see that the text, matches the text MBL_400944 is looking for.
> 
> In short:
> 
> a) there's isn't any malware in gadget_multi.txt on their website
> b) there's isn't any malware in the gadget_multi.txt's on your system
> c) It's a false positive and should be report to MBL as such

And their contact address is?

> d) Where's my coffee ;)

This last is my question too, just woke up, so its safe to say I have one 
eye open simultaneously.  And I haven't loaded the Mr Coffee yet.  So it 
didn't do any good for me to make a test case and take about 20 spaces out 
of the top line as I'll still get the report.

I was thinking it was the md5sum on the whole file, thanks for the 
clarification.

Now, since the real thing is considered a high level threat to a win32 
system, perhaps the thing to do is edit the .'s to DOT's, make a patch and 
submit it to lkml?  I might see if its accepted.

But after I am awake for the day, right now I am playing the good geek, who 
when he get up to pee, checks his email before going back to bed. :) 10 
minutes to 7 is not a civilized time of the day for a type B.

> Cheers,
> 
> Steve
> Sanesecurity.com

Thanks Steve, for a cogent, step by step explanation.

Cheers, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Reply via email to