[clamav-users] ClamAV HTML RealURL DisplayURL failed
shishabert at vollbio.de
shishabert at vollbio.de
Wed Jul 29 10:02:04 UTC 2020
hi @ all,
i use postfix, amavisd and clamav with urlhaus ndb (for ClamAV) sig from urlhaus.abuse.ch. if i send or receive a mail with a hyperlink - realURL/ displayURL like :
...
...
<a href="https:// example-from-urlhaus.[com/link/to/location/">https:// foo-bar-anything-blubb.[com/happy-malware-fakename</a><o:p></o:p></p>
...
...
clamav does not recognize this. but, if I place the link directly in the mail body (HTML format) clamav recognizes this:
clamd[25845]: /var/amavis/tmp/amavis-20200729T082557-25999-Hy3LWJ3x/parts/p004: URLhaus.421252.UNOFFICIAL FOUND
And when i create a yara rule with the link to urlhaus.abuse.ch it detects the badevil-url link without problems.
for example:
...
LibClamAV debug: FP SIGNATURE: cef114bc2adc4caeaf51f716ba3c1611:923:YARA.spam_subject.UNOFFICIAL
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: YARA.spam_subject.UNOFFICIAL found
you can tell what I'm doing wrong?
BR, Bert
More information about the clamav-users
mailing list