[clamav-users] Can't detect deceptive URL's as infected !!

Micah Snyder (micasnyd) micasnyd at cisco.com
Tue Dec 11 23:01:01 EST 2018


Hi Sunny,

I meant to say that if I scanned a saved email file containing the malicious URL in an HTML link (i.e.   a href=link  ), then it will detect the link with the safebrowsing signature.  However, if the malicious URL is not an HTML link, for example if the email content is plain text, then the safebrowsing signature does not appear to alert.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 11, 2018, at 8:58 AM, Sunny Marwah <sunnymarwah at trepup.com<mailto:sunnymarwah at trepup.com>> wrote:

Hi Al,

Thanks for sharing that reply.

Do you mean ClamAV did not detect that file (containing deceptive link) as 'Infected" in your scanning ?

FYI, i have also tried Google's Safebrowsing API to check such deceptive links.

It was really strange to know that even Google's Safebrowsing lookup API did not detect that file as 'Unsafe'. The reason behind is the deceptive link is phishing link but not malware.

So Google's Safebrowsing lookup API will identify only Malware links as 'Unsafe' but not all deceptive links. However, when i check the same URL on "https://transparencyreport.google.com/safe-browsing/search", then it shows 'site is unsafe' what i am actually looking for.

Regards
Sunny

On Tue, Dec 11, 2018 at 5:28 PM Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:
Here was the earlier reply to your question
<http://lists.clamav.net/pipermail/clamav-users/2018-December/007245.html>.

Sent from my iPad

-Al-

On Dec 10, 2018, at 21:46, Sunny Marwah <sunnymarwah at trepup.com<mailto:sunnymarwah at trepup.com>> wrote:
Same question again : Chrome don't open malicious links due to labeling them dangerous as per "Safebrowsing". Then why ClamAV is not able to identify such malicious links when "Safebrowsing" option is already enabled ??

On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) <micasnyd at cisco.com<mailto:micasnyd at cisco.com>> wrote:
Our replies may be getting filtered by your email provider because you included a malicious link in the email chain. :D  I removed the link from this reply.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 8, 2018, at 9:17 AM, Sunny Marwah <sunnymarwah at trepup.com<mailto:sunnymarwah at trepup.com>> wrote:


Still no reply on this matter.


--
Regards
Sunny
System Engineer
Mob : +91 9711155549<tel:+91%209711155549>

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181212/2c6771b0/attachment.html>


More information about the clamav-users mailing list