False-positive virus detection (was Re: antivirus recomendation?)

To: debian-user@lists.debian.org
Subject: False-positive virus detection (was Re: antivirus recomendation?)
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Fri, 28 Nov 2003 01:05:26 -0800
Message-id: <[🔎] 20031128090526.GR18334@ix.netcom.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] s02291-u38.ln1@dman13.dyndns.org>
References: <[🔎] 20031121141016.467f91ac.arnt@c2i.net> <[🔎] s02291-u38.ln1@dman13.dyndns.org>

on Fri, Nov 21, 2003 at 01:27:08PM -0500, Derrick 'dman' Hudson (dman@dman13.dyndns.org) wrote:
> On Fri, 21 Nov 2003 14:10:16 +0100, Arnt Karlsen wrote:
> > On Thu, 20 Nov 2003 17:14:41 -0700, 
> > "Monique Y. Herman" <spam@bounceswoosh.org> wrote in message 
> > <[🔎] slrnbrqm7h.78v.spam@home.bounceswoosh.org>:
> > 
> >> On Thu, 20 Nov 2003 at 21:12 GMT, Arnt Karlsen penned:
> >> > 
> >> > ..other wintendo compiler and virus signatures, anyone?
> >> > 
> >> 
> >> filename\=.*\.(pif|scr|exe|bat|com|vbs)
> 
> Be aware that this is incomplete and could also yield false positives.

I've had this problem.  On Swen I'm reporting to source domain abuse@
and postmaster@ domains, in which I'm including the payload up to the
executable signature.  To date I've applied the following manglements to
the quoted portion:

  - Indenting it by two spaces.
  - Mangling "Content-*" headers with a "X-<header>-X"
  - Mangling of MIME-encoded executable string with inserted '.'
    in "TV".

...up until that last, I was getting false positive virus reports from
multiple locations, including one site apparently using clamav (or was
it amvirus...I can't remember precisely).  The last change was made
within the past 24 hours and seems to have foiled more filters, though I
don't know if it's clearing them all.

The result (from a current sample Swen mail) looks like:

  --ucxblilkfbq
  X-Content-Type-X: text/html
  X-Content-Transfer-Encoding-X: quoted-printable

  <HTML>
  <HEAD></HEAD>
  <BODY>
  <iframe src=3D"cid:oxzrjdqkgeqxfi" height=3D0 width=3D0></iframe>
  <BR><BR><BR>Undeliverable mail to <B>raiybmeyiw@yahoo.net</B>
  </BODY></HTML>

  --ucxblilkfbq
  X-Content-Type-X: audio/x-wav; name="ejhmvja.scr"
  X-Content-Transfer-Encoding-X: base64
  X-Content-Id-X: <oxzrjdqkgeqxfi>

  T.V.qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

> Just suppose, for a dumb off-the-top-of-my-head example, I send a file
> to you named "shell.commands".  You'll reject it as being an MS
> executable.  That's the false positive portion.  You need to anchor
> the pattern, according to MIME rules, but then you need lots of
> variation due to variations allowed in the MIME rules.  Your list of
> extensions is also about 3 or 4 times as short as the more complete
> ones I've seen on the web.  To be truly accurate, you need an actual
> MIME parser, not a regex here.

Ayup to all of that.

Several of the domains messing this one up have found their way to the
RFC Ignorant list (http://www.rfc-ignorant.org/).

The irony that an email infrastructure which allows the transmission of
auto-executing attached content resulting in one in which sites are
incorrectly rejecting inline text out of paranoia....

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
      http://sco.iwethey.org/

Attachment: pgpzhurU5Uip1.pgp
Description: PGP signature

Reply to:

References:
- Re: antivirus recomendation?
  - From: Arnt Karlsen <arnt@c2i.net>
- Re: antivirus recomendation?
  - From: Derrick 'dman' Hudson <dman@dman13.dyndns.org>

Prev by Date: Re: antivirus recomendation?
Next by Date: Re: How to get away with small /var partition
Previous by thread: Re: antivirus recomendation?
Next by thread: Re: antivirus recomendation?
Index(es):
- Date
- Thread