[clamav-users] Can't detect deceptive URL's as infected !!

Sunny Marwah sunnymarwah at trepup.com
Sat Dec 8 09:17:28 EST 2018


Still no reply on this matter.

On Fri, Dec 7, 2018 at 6:17 PM Sunny Marwah <sunnymarwah at trepup.com> wrote:

> Hi Al Varnell,
>
> Below is the URL which was mentioned in HTML template :
>
> https://gokdenizhealthtourism.com/js/logo2.gif
>
> Chrome don't open it due to labeling it dangerous in as per
> "Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing"
> option is already enabled ??
>
> Looking to hear from you on this.
>
> Regards
> Sunny
>
> On Fri, Dec 7, 2018 at 5:50 PM Al Varnell <alvarnell at mac.com> wrote:
>
>> If you won't provide the URL to the rest of us users, then we can't help
>> you. You'll have to wait to see if the development team gets back to you.
>>
>> -Al-
>>
>> On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
>>
>> Hi Al Varnell,
>>
>> I have already gone through https://www.clamav.net/documents/safebrowsing
>> .
>>
>> That URL i have already shared with one of ClamAV development team members
>>
>> I did not understand your point what you said --- "You will probably need
>> to obfuscate it in order to get it through the mail system, something like
>> httx://....".
>>
>> My purpose behind using ClamAV is to scan Linux server and plus HTML
>> templates which we regularly receive on server.
>>
>> And the reason behind using "Safebrowing" option is to detect deceptive,
>> Phishing URL's in HTML templates in the same way as Chrome warns us before
>> opening such URL's. I want ClamAV to detect such files as "Infected" which
>> contain deceptive, Phishing URL's.
>>
>> Waiting for your quick and needful response.
>>
>> Regards
>> Sunny
>>
>> On Fri, Dec 7, 2018 at 5:22 PM Al Varnell <alvarnell at mac.com> wrote:
>>
>>> Have your read the explanation at <
>>> https://www.clamav.net/documents/safebrowsing>?
>>>
>>> Please provide the phishing URL that is failing. You will probably need
>>> to obfuscate it in order to get it through the mail system, something like
>>> httx://....
>>>
>>> -Al-
>>>
>>> On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
>>>
>>> Hello Micah & Team,
>>>
>>> Have not received any response on my last email.
>>>
>>> Also, i have enabled Safebrowsing option in freshclam.conf as suggested
>>> by you.
>>>
>>> Still i can see that ClamAV is not working properly. There is one file
>>> placed on server and there is one phishing URL available in that file. That
>>> URL is so deceptive that Chrome is not letting us open that URL due to
>>> labeling it as "Deceptive" URL.
>>>
>>> Why ClamAV is still not able to find that file as "Infected" in scanning
>>> even after enabling "Safebrowsing" option ??
>>>
>>> Waiting for your quick and needful response.
>>>
>>> Regards
>>> Sunny
>>>
>>> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah <sunnymarwah at trepup.com>
>>> wrote:
>>>
>>>> Hi Micah,
>>>>
>>>> Thanks for letting me know about enabling SafeBrowsing CVD option in
>>>> ClamAV.
>>>>
>>>> Google safe browsing put a website in 3 categories mentioned below :
>>>> 1 Secure
>>>> 2 Info or Not secure
>>>> 3 Not secure or Dangerous
>>>>
>>>> Curious to know how ClamAV will categorize the HTML file. Let's say, if
>>>> any "Note secure or Dangerous" URL is found, will ClamAV will show it as
>>>> infected file in scanning summary ? If this is the case, i guess in case
>>>> "Secure" URL is found, it will show as OK. And what if URL is found as
>>>> "Info or Not secure" ?
>>>>
>>>> Regards
>>>> Sunny
>>>>
>>>>
>>>> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <
>>>> micasnyd at cisco.com> wrote:
>>>>
>>>>> It may be worth mentioning that in addition to the [optional]
>>>>> SafeBrowsing CVD that you can choose to include, ClamAV has just started
>>>>> including PhishTank signatures late last month.
>>>>>
>>>>> For those who curious, see https://lists.gt.net/clamav/virusdb/.
>>>>> PhishTank signatures are prefixed with Phishtank.Phishing.
>>>>>
>>>>>
>>>>> Micah Snyder
>>>>> ClamAV Development
>>>>> Talos
>>>>> Cisco Systems, Inc.
>>>>>
>>>>>
>>>>> On Dec 6, 2018, at 3:27 AM, Al Varnell <alvarnell at mac.com> wrote:
>>>>>
>>>>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way
>>>>> to dynamic (blacklisted one day and removed the next). ClamAV does malware
>>>>> detection over the long haul and trying to keep up with fraudulent web
>>>>> sites would be a full time job and better done by other means (e.g. Google
>>>>> Safe Browsing).
>>>>>
>>>>> -Al-
>>>>>
>>>>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>>>>>
>>>>> Hello Team,
>>>>>
>>>>> We are using clamav-0.100.2 to scan few HTML email templates.
>>>>>
>>>>> Sometimes, there are deceptive URL's mentioned in those templates and
>>>>> that template should be detected as infected via ClamAV scan process.
>>>>>
>>>>> I can see weird output of ClamAV scan process. Sometimes it detect
>>>>> such templates as infected and sometimes, it does not detect them as
>>>>> infected. And the URL's i am talking about, are so deceptive that even
>>>>> Google chrome browser don't let us open these URL's and show us clear
>>>>> warning as "Dangerous" about deceptive website.
>>>>>
>>>>> Can you put your views behind such unpredictable behavior ?
>>>>>
>>>>> If you want then i can report such URL's on your malware link for
>>>>> reporting.
>>>>>
>>>>> Regards
>>>>> Sunny
>>>>>
>>>>> _______________________________________________
>>>>> clamav-users mailing list
>>>>> clamav-users at lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> clamav-users mailing list
>>>>> clamav-users at lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards
>>>> Sunny
>>>> System Engineer
>>>> Mob : +91 9711155549
>>>>
>>>
>>> -Al-
>>> --
>>> Al Varnell
>>> Mountain View, CA
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>>
>> -Al-
>> --
>> Al Varnell
>> Mountain View, CA
>>
>>
>>
>>
>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
> --
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549
>
>

-- 
Regards
Sunny
System Engineer
Mob : +91 9711155549
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181208/d04ef948/attachment.html>


More information about the clamav-users mailing list