[clamav-users] Can't detect deceptive URL's as infected !!

Steve Basford steveb_clamav at sanesecurity.com
Wed Dec 12 05:37:51 EST 2018


On Wed, December 12, 2018 8:59 am, Al Varnell wrote:
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all
> of them have been removed. Should I conclude that the PhishTank
> organization signatures are resulting in a high False Positive count? Are
> they simply accepting all the submissions they get as valid fishing
> attempts and not QAing them before release?

Not sure but just to add that phishtank.ndb is still up and running and
has been for quite some time...  so might end up with some duplicates for
those already using phishtank.ndb:

eg....

phishtank.ndb:

VIRUS NAME: PhishTank.Phishing.5433945
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
{STRING_ALTERNATIVE:.|/}trck DOT me/459690/

vs

daily.ndb:

VIRUS NAME: Phishtank.Phishing.PHISH_ID_5433945-6762532-0
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
http://trck DOT me/459690/

-- 
Cheers,

Steve
Twitter: @sanesecurity




More information about the clamav-users mailing list