[sanesecurity] MBL_144360 update
- From: Steve Basford <steveb_clamav@xxxxxxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx, sanesecurity_announce@xxxxxxxxxxxxx
- Date: Fri, 04 Mar 2011 20:08:24 +0000
Hi All,
Just to provide a quick explanation on what happened to those who were/are
using the MBL signatures and
the MBL_144360 signature.
Firstly, MBL_144360 signature(s) are produced and distributed by Malware Patrol
(http://www.malware.com.br/index.shtml)
and aren't distributed by the Sanesecurity mirrors and therefore can't be
checked for any BIG False Positive problems by me.
As soon as I began to see False Positive reports early this morning (UK time)
two things happened:
1) MBL_144360 was added to sigwhitelist.ign2
This file is distributed on the Sanesecurity mirrors and is used to quickly
disable ANY signatures which are causing a problem.
The good thing is that this change would also have disabled the faulty
signature produced by Malware Patrol, however, the downside
is that until the end-user checks the mirror for an update, they wouldn't have
received this update. If you only check the mirrors
ONCE a day, it'll be 24 hours before you'd have received a fix... people
checking hourly, would obviously have receive the fix in an hour.
2) An announcement was then made to the Sanesecurity and Sanesecurity announce
mailing list(s) to alert people what had happened and
then I proceeded to check what might have happened to their signature.
What went wrong, well... I think they put out an update which had a problem...
this is the signature concerned:
MBL_144360:0:*:7570646174
Which decodes to "updat".
In a nutshell... any email containing the word "updat" would be flagged as a
virus (ie. updated, updates), that's why there were sooo many false positives.
Some point later, Malware Patrol did another update, this time the signature
(using the same signature name) changed to:
MBL_144360:0:*:7570646174652e6d756c746976616363696e652e636f2e6b722f736574757061
Which decodes to "update DOT multivaccine DOT co DOT kr/setupa"
(remove the DOTs)
So, again.. depending on how many times your script updates from them, depended on how long you were exposed to the problem.
I think that about covers what actually happened... and I apologise for
everyone that got hit with this one, even though this was
out of my control.
What is in my control is the ham checks done, using signatures
produced/distributed by the Sanesecurity mirrors before the signatures are
pushed out
the the mirrors, which is designed to try and avoid situations like this.
Out of interest, I scanned my ham data with the faultly Malware Patrol
database, this is what happened:
Scanned files: 496
Infected files: 123
So, that sig would have been rejected before getting out.. so, if there is a
positive in this, it's that my ham data check would have worked as designed.
Thanks for listening and hope this comes some way to explain what happened.
Cheers,
Steve
Sanesecurity
Other related posts:
