[clamav-users] Question about Urlhaus.Malware.452652-9766253-0

Lilia Gonzalez Medina liligonz at sourcefire.com
Mon Jan 4 15:43:56 UTC 2021 

Hi Orion!

Thank you for reporting this. URLhaus is a partner that generates a list of
ClamAV signatures to target malicious URLs. Signature
Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
files, which is why it is alerting on the URLs you mentioned. We found
these FPs some weeks ago and added an extra check on new ClamAV signatures
to prevent them from alerting on legitimate URLhaus content. We are
currently updating older ClamAV signatures to ensure they don't FP on
non-malicious HTML files.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion at nwra.com> wrote:

> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature?  We're seeing following URLs trigger it:
>
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
>
> Which seems to be the online update URLs for the urlhaus filter.  Does
> ClamAV
> deem urlhaus a bad actor?
>
> Thanks,
>   Orion
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion at nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210104/70426112/attachment.htm>

More information about the clamav-users mailing list