[clamav-users] ClamAV HTML RealURL DisplayURL failed
Joel Esler (jesler)
jesler at cisco.com
Wed Jul 29 12:33:19 UTC 2020
Are you writing your rule to detect the correct file type?
Sent from my iPad
> On Jul 29, 2020, at 06:02, shishabert at vollbio.de wrote:
>
> hi @ all,
>
> i use postfix, amavisd and clamav with urlhaus ndb (for ClamAV) sig from urlhaus.abuse.ch. if i send or receive a mail with a hyperlink - realURL/ displayURL like :
>
> ...
> ...
> <a href="https:// example-from-urlhaus.[com/link/to/location/">https:// foo-bar-anything-blubb.[com/happy-malware-fakename</a><o:p></o:p></p>
> ...
> ...
>
> clamav does not recognize this. but, if I place the link directly in the mail body (HTML format) clamav recognizes this:
>
> clamd[25845]: /var/amavis/tmp/amavis-20200729T082557-25999-Hy3LWJ3x/parts/p004: URLhaus.421252.UNOFFICIAL FOUND
>
> And when i create a yara rule with the link to urlhaus.abuse.ch it detects the badevil-url link without problems.
> for example:
>
> ...
> LibClamAV debug: FP SIGNATURE: cef114bc2adc4caeaf51f716ba3c1611:923:YARA.spam_subject.UNOFFICIAL
> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> LibClamAV debug: YARA.spam_subject.UNOFFICIAL found
>
>
> you can tell what I'm doing wrong?
>
> BR, Bert
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1872 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200729/2ae873a1/attachment.bin>
More information about the clamav-users
mailing list