[clamav-users] Can't detect deceptive URL's as infected !!

Sunny Marwah sunnymarwah at trepup.com
Wed Dec 12 08:15:35 EST 2018


Hi Micah,

I checked the what you suggested.

I put that deceptive link as an hyperlink like href=link in html file and
scanned the file.

Still, ClamAV did not detect that file as 'Infected'. It gave OK to that
file.

Regards
Sunny

On Wed, Dec 12, 2018 at 5:53 PM Joel Esler (jesler) <jesler at cisco.com>
wrote:

> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank
> project, so this is about making our different properties work together
> through the official signature set in a supported way.  If false positives
> are reported on the phishtank sigs through ClamAV.net, they are
> automatically routed to my team for resolution in the phishtank feed and in
> ClamAV.
>
> Sent from my  iPhone
>
> On Dec 12, 2018, at 03:59, Al Varnell <alvarnell at mac.com> wrote:
>
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all of
> them have been removed. Should I conclude that the PhishTank organization
> signatures are resulting in a high False Positive count? Are they simply
> accepting all the submissions they get as valid fishing attempts and not
> QAing them before release?
>
> Part of my interest is that I've been providing input to them for years
> after first establishing that the spam e-mail I received is from an address
> that doesn't match the purported notice of impeding doom and offer to fix
> by clicking a link which does not match the announced domain? I'm not sure
> all users would go to such lengths and might be forwarding all their spam
> to these folks. Or perhaps some are flooding the site with valid url's in
> an attempt defeat their purpose.
>
> -Al-
>
> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>
> Hi Sunny,
>
> I meant to say that if I scanned a saved email file containing the
> malicious URL in an HTML link (i.e.   a href=link  ), then it will detect
> the link with the safebrowsing signature.  However, if the malicious URL is
> not an HTML link, for example if the email content is plain text, then the
> safebrowsing signature does not appear to alert.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 11, 2018, at 8:58 AM, Sunny Marwah <sunnymarwah at trepup.com> wrote:
>
> Hi Al,
>
> Thanks for sharing that reply.
>
> Do you mean ClamAV did not detect that file (containing deceptive link) as
> 'Infected" in your scanning ?
>
> FYI, i have also tried Google's Safebrowsing API to check such deceptive
> links.
>
> It was really strange to know that even Google's Safebrowsing lookup API
> did not detect that file as 'Unsafe'. The reason behind is the deceptive
> link is phishing link but not malware.
>
> So Google's Safebrowsing lookup API will identify only Malware links as
> 'Unsafe' but not all deceptive links. However, when i check the same URL on
> "https://transparencyreport.google.com/safe-browsing/search", then it
> shows 'site is unsafe' what i am actually looking for.
>
> Regards
> Sunny
>
> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell <alvarnell at mac.com> wrote:
>
>> Here was the earlier reply to your question
>> <http://lists.clamav.net/pipermail/clamav-users/2018-December/007245.html
>> >.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>> On Dec 10, 2018, at 21:46, Sunny Marwah <sunnymarwah at trepup.com> wrote:
>>
>> Same question again : Chrome don't open malicious links due to labeling
>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to
>> identify such malicious links when "Safebrowsing" option is already enabled
>> ??
>>
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) <
>> micasnyd at cisco.com> wrote:
>>
>> Our replies may be getting filtered by your email provider because you
>>> included a malicious link in the email chain. :D  I removed the link from
>>> this reply.
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>>
>>>
>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah <sunnymarwah at trepup.com> wrote:
>>>
>>>
>>> Still no reply on this matter.
>>>
>>>
>
> --
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
Regards
Sunny
System Engineer
Mob : +91 9711155549
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181212/c43736cd/attachment.html>


More information about the clamav-users mailing list