[clamav-users] Can't detect deceptive URL's as infected !!

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Dec 7 18:22:37 EST 2018


In my own testing, it detected this link just fine.

Steps to reproduce:
View the raw source of this email and save it to a file.
Scan the file.

I will note that I did some additional testing. When placing the URL (no link, just raw text URL) in an email, ClamAV did not detect it.

Truthfully I don't have as much experience with ClamAV's phishing and safebrowsing features as I'd like. I'm not aware if our HTML scanner will do the same phish-checks as the Mail parser does. That will take a little more investigation and a little more time that I don't have at the moment.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 7, 2018, at 7:47 AM, Sunny Marwah <sunnymarwah at trepup.com<mailto:sunnymarwah at trepup.com>> wrote:

Hi Al Varnell,

Below is the URL which was mentioned in HTML template :

https://gokdenizhealthtourism.com/js/logo2.gif

Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing" option is already enabled ??

Looking to hear from you on this.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:50 PM Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:
If you won't provide the URL to the rest of us users, then we can't help you. You'll have to wait to see if the development team gets back to you.

-Al-

On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need to obfuscate it in order to get it through the mail system, something like httx://....".

My purpose behind using ClamAV is to scan Linux server and plus HTML templates which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive, Phishing URL's in HTML templates in the same way as Chrome warns us before opening such URL's. I want ClamAV to detect such files as "Infected" which contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:22 PM Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:
Have your read the explanation at <https://www.clamav.net/documents/safebrowsing>?

Please provide the phishing URL that is failing. You will probably need to obfuscate it in order to get it through the mail system, something like httx://....

-Al-

On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.

Still i can see that ClamAV is not working properly. There is one file placed on server and there is one phishing URL available in that file. That URL is so deceptive that Chrome is not letting us open that URL due to labeling it as "Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning even after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah <sunnymarwah at trepup.com<mailto:sunnymarwah at trepup.com>> wrote:
Hi Micah,

Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.

Google safe browsing put a website in 3 categories mentioned below :
1 Secure
2 Info or Not secure
3 Not secure or Dangerous

Curious to know how ClamAV will categorize the HTML file. Let's say, if any "Note secure or Dangerous" URL is found, will ClamAV will show it as infected file in scanning summary ? If this is the case, i guess in case "Secure" URL is found, it will show as OK. And what if URL is found as "Info or Not secure" ?

Regards
Sunny


On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <micasnyd at cisco.com<mailto:micasnyd at cisco.com>> wrote:
It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD that you can choose to include, ClamAV has just started including PhishTank signatures late last month.

For those who curious, see https://lists.gt.net/clamav/virusdb/.   PhishTank signatures are prefixed with Phishtank.Phishing.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 6, 2018, at 3:27 AM, Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to dynamic (blacklisted one day and removed the next). ClamAV does malware detection over the long haul and trying to keep up with fraudulent web sites would be a full time job and better done by other means (e.g. Google Safe Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such templates as infected and sometimes, it does not detect them as infected. And the URL's i am talking about, are so deceptive that even Google chrome browser don't let us open these URL's and show us clear warning as "Dangerous" about deceptive website.

Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
Regards
Sunny
System Engineer
Mob : +91 9711155549

-Al-
--
Al Varnell
Mountain View, CA





_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA





_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
Regards
Sunny
System Engineer
Mob : +91 9711155549

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181207/89a712c2/attachment.html>


More information about the clamav-users mailing list