[clamav-users] Way to access .cvd file
Micah Snyder (micasnyd)
micasnyd at cisco.com
Tue Sep 1 18:16:13 UTC 2020
Some additional details, we've had a couple outstanding requests for a long time to print the URL information when phishing heuristics and safebrowsing signatures alert:
- https://bugzilla.clamav.net/show_bug.cgi?id=1600
- https://bugzilla.clamav.net/show_bug.cgi?id=11123
We added output in 0.103 to print the real-URL and display-URL when a phishing heuristic alerts, but have not added a similar feature for safebrowsing detections. I agree that it would be very helpful to know the source of such alerts when they occur. If there are any interested in contributing to the project, this might be a good one to work on.
It's probably also worth mentioning that Cisco-Talos no longer publishes updates to the safebrowsing database. Google changes their terms of service regarding commercial use of the safebrowsing API. Though we never made money off of our use of the safebrowsing API we can no longer provide the data for public use since we don't know how it will be used. Instead, we open-sourced the tool that we used to use to generate the safebrowsing database so that others may use it with their own API in accordance with Google's terms of service. See https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html for more details.
Regards,
Micah
-----Original Message-----
From: clamav-users <clamav-users-bounces at lists.clamav.net> On Behalf Of Al Varnell via clamav-users
Sent: Monday, August 31, 2020 5:11 PM
To: ClamAV users ML <clamav-users at lists.clamav.net>
Cc: Al Varnell <alvarnell at mac.com>
Subject: Re: [clamav-users] Way to access .cvd file
I'm sure you are correct that few, if any, would used --debut routinely, but I would definitely do so if I had a need to whitelist a safebrowsing entry. OTOH, that database is quite dynamic with Google adding and deleting entries multiple times a day, so I would more likely want to take up any sort of FP results with Google directly.
You didn't mention the answer to your other question about the safebrowsing.info file which can be found at <https://www.clamav.net/documents/database-info>.
The format is simply:
name:size:sha256
-Al-
> On Aug 31, 2020, at 04:44, iulian stan via clamav-users <clamav-users at lists.clamav.net> wrote:
>
> Dear Ged/all,
>
> Your information did the trick. I couldn't have solved this mystery without your genius link. To be fair I've presented all the information and data without looking to manual and i know the commands posted from the thin air that i was breathing.
>
> Long story short, maybe this info is needed to other novice like me who don't RTFM.
>
> safebrowsing.cvd is created by google and contains inside a .gbd file.
> As manual says ( btw, the correct link is:
> https://www.clamav.net/documents/phishsigs) it contains hashed URLs and not encrypted like i thought in the beginning. Just because is SHA256 you cannot "decode" the original data since there no original data inside. (it is just a fixed string produced and where the URL/data is used as seed) Having all of this said there is no way to use sigtool --decode-sigs to retrieve the original data(like you do for example in *.ndb) In the link provided by me it is also written, i quote:
> "To see which hash/URL matched, look at the clamscan --debug output, and look for the following strings: Looking up hash, prefix matched, and Hash matched. Local whitelisting of .gdb entries can be done by creating a local.gdb file, and adding a line S:W:<HASH>."
>
> But to be fair, who is actually using clamscan or clamdscan with --debug activated on production ?
>
>
>
> ---
> humbled and grateful for your great link, Iulian
>
>
>
> On 2020-08-31 12:35, G.W. Haywood via clamav-users wrote:
>> Hi there,
>> On Mon, 31 Aug 2020, iulian stan via clamav-users wrote:
>>> I am missing something ?
>> http://www.clamav.net/documents/clam-antivirus-user-manual
>> --
>> 73,
>> Ged.
More information about the clamav-users
mailing list