[clamav-users] Blocking malicious URLs in a local database

TR Shaw tshaw at oitc.com
Mon Mar 30 15:42:46 EDT 2015


your.local.ndb file:
	"signame.1:4:*:" . bin2hex("http://bad.domain.com/path") . "\n";
	"signame.2:5:*:" . bin2hex("http://bad.domain.com/path") . "\n";

On Mar 30, 2015, at 2:34 PM, Dave McMurtrie <dave64 at andrew.cmu.edu> wrote:

> Hi,
> 
> Hopefully someone here can steer me in the right direction.  I'm looking for a simple way to be able to create a local signature such that when we become aware of a phishing message targeting our users that contains a malicious URL, I can quickly respond by configuring ClamAV to identify them so we can block them.
> 
> After reading the phishsigs_howto, it looks like adding entries to a local.gdb file would accomplish what I want, but thus far that isn't working for me.  I'm fairly certain that I have the format correct because clamdscan is properly detecting messages with URLs that I put in my local.gdb file.  However, clamd is not detecting the URLs when our milter code connects to the clamd socket.  The difference seems to be whether it's in the context of scanning a file or a mail message, since debug output shows me that it's taking a different code path.  I posted to the list earlier with more specific questions about this, but never did track it down.
> 
> My questions:
> 
> 1) Is the local.gdb file even intended for this purpose?
> 
> 2) Is there a better way to accomplish this?
> 
> Thanks!
> 
> Dave
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list