[clamav-users] Question about Urlhaus.Malware.452652-9766253-0

Orion Poplawski orion at nwra.com
Wed Dec 30 22:23:30 UTC 2020 

So that is a apparently a malicious site as determined by Urlhaus and is on
their filter list.  But how is it useful as a ClamAV signature?  You are not
going to be filtering URLs with ClamAV, right?  And now it's blocking these
emails because it contains this string.

Orion

On 12/23/20 11:26 AM, eric-list at truenet.com wrote:
> Here's the signature decoded:
> # sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig
> VIRUS NAME: Urlhaus.Malware.452652-9766253-0
> FUNCTIONALITY LEVEL: >=48
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/
> 
> Sincerely,
> 
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
> 
> -----Original Message-----
> From: clamav-users <clamav-users-bounces at lists.clamav.net> On Behalf Of
> Orion Poplawski
> Sent: Wednesday, December 23, 2020 1:11 PM
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0
> 
> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature?  We're seeing following URLs trigger it:
> 
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-fil
> ter-online.txt
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d
> 5d2e877e120/urlhaus-filter-online.txt
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-onl
> ine.txt
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.tx
> t
> 
> Which seems to be the online update URLs for the urlhaus filter.  Does
> ClamAV deem urlhaus a bad actor?
> 
> Thanks,
>   Orion
> 
> --
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion at nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3847 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20201230/cc6922f8/attachment.bin>

More information about the clamav-users mailing list