Mailing List Archive

Many false positives: MBL_312128 / MBL_303159
Hi,

I'm currently experiencing lots of FP.

Those FP range from automatic apticron debian mails, mails with simple
clean PDF files, CSV files, ...

Do any of you experience the same ?

Thanks

Laurent
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Many false positives: MBL_312128 / MBL_303159 [ In reply to ]
We've heard similar complaints on IRC. It looks like downloads may be
broken from MBL. You'll have to work with them to address the issue.

Matt

On Tue, Aug 7, 2012 at 2:38 PM, Laurent CARON <lcaron@unix-scripts.info>wrote:

> Hi,
>
> I'm currently experiencing lots of FP.
>
> Those FP range from automatic apticron debian mails, mails with simple
> clean PDF files, CSV files, ...
>
> Do any of you experience the same ?
>
> Thanks
>
> Laurent
> ______________________________**_________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml <http://www.clamav.net/support/ml>
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Many false positives: MBL_312128 / MBL_303159 [ In reply to ]
On 8/7/2012 2:46 PM, Matt Olney wrote:
> We've heard similar complaints on IRC. It looks like downloads may be
> broken from MBL. You'll have to work with them to address the issue.

My last download was 3 hours ago. I don't see a problem from here.

Also, I do not see the problematic rules in the current MBL database.

--
Bowie
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Many false positives: MBL_312128 / MBL_303159 [ In reply to ]
---------- Original Message ----------------------------------
From: Laurent CARON <lcaron@unix-scripts.info>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Tue, 07 Aug 2012 20:38:40 +0200

>Hi,
>
>I'm currently experiencing lots of FP.
>
>Those FP range from automatic apticron debian mails, mails with simple
>clean PDF files, CSV files, ...
>
>Do any of you experience the same ?
>
>Thanks
>
>Laurent

running clam here with postfix and clamsmtpd on a relay-only mx gateway.

Starting with our 8AM signature update, we accumulated 16K msgs in /var/virus quarantine in 4 hours (vs an avg of 1000/day)

16354 status=VIRUS:MBL_303159.UNOFFICIAL

MBL = signature from Malware Block List see: http://www.malware.com.br/cgi/search.pl for "303159"


I cannot find how to release this msgs from quarantine

urgent replies welcome! :)

Len

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Many false positives: MBL_312128 / MBL_303159 [ In reply to ]
On Tue, Aug 07, 2012 at 03:00:15PM -0400, Bowie Bailey wrote:
> On 8/7/2012 2:46 PM, Matt Olney wrote:
> >We've heard similar complaints on IRC. It looks like downloads may be
> >broken from MBL. You'll have to work with them to address the issue.
>
> My last download was 3 hours ago. I don't see a problem from here.
>
> Also, I do not see the problematic rules in the current MBL database.

After last update of this morning the problem is solved.


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml