[clamav-users] Blocking malicious URLs in a local database

Dave McMurtrie dave64 at andrew.cmu.edu
Mon Mar 30 14:34:43 EDT 2015


Hi,

Hopefully someone here can steer me in the right direction.  I'm looking for a simple way to be able to create a local signature such that when we become aware of a phishing message targeting our users that contains a malicious URL, I can quickly respond by configuring ClamAV to identify them so we can block them.

After reading the phishsigs_howto, it looks like adding entries to a local.gdb file would accomplish what I want, but thus far that isn't working for me.  I'm fairly certain that I have the format correct because clamdscan is properly detecting messages with URLs that I put in my local.gdb file.  However, clamd is not detecting the URLs when our milter code connects to the clamd socket.  The difference seems to be whether it's in the context of scanning a file or a mail message, since debug output shows me that it's taking a different code path.  I posted to the list earlier with more specific questions about this, but never did track it down.

My questions:

1) Is the local.gdb file even intended for this purpose?

2) Is there a better way to accomplish this?

Thanks!

Dave



More information about the clamav-users mailing list