[clamav-users] Blocking malicious URLs in a local database
dave64 at andrew.cmu.edu
Tue Mar 31 10:19:18 EDT 2015
Well that is certainly simple, and seems to just work. Thanks for the info!
From: clamav-users [clamav-users-bounces at lists.clamav.net] on behalf of TR Shaw [tshaw at oitc.com]
Sent: Monday, March 30, 2015 3:42 PM
To: ClamAV users ML
Subject: Re: [clamav-users] Blocking malicious URLs in a local database
"signame.1:4:*:" . bin2hex("http://bad.domain.com/path") . "\n";
"signame.2:5:*:" . bin2hex("http://bad.domain.com/path") . "\n";
On Mar 30, 2015, at 2:34 PM, Dave McMurtrie <dave64 at andrew.cmu.edu> wrote:
> Hopefully someone here can steer me in the right direction. I'm looking for a simple way to be able to create a local signature such that when we become aware of a phishing message targeting our users that contains a malicious URL, I can quickly respond by configuring ClamAV to identify them so we can block them.
> After reading the phishsigs_howto, it looks like adding entries to a local.gdb file would accomplish what I want, but thus far that isn't working for me. I'm fairly certain that I have the format correct because clamdscan is properly detecting messages with URLs that I put in my local.gdb file. However, clamd is not detecting the URLs when our milter code connects to the clamd socket. The difference seems to be whether it's in the context of scanning a file or a mail message, since debug output shows me that it's taking a different code path. I posted to the list earlier with more specific questions about this, but never did track it down.
> My questions:
> 1) Is the local.gdb file even intended for this purpose?
> 2) Is there a better way to accomplish this?
> Help us build a comprehensive ClamAV guide:
Help us build a comprehensive ClamAV guide:
More information about the clamav-users