Hi Orion!

Thank you for reporting this. URLhaus is a partner that generates a list of ClamAV signatures to target malicious URLs. Signature Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML files, which is why it is alerting on the URLs you mentioned. We found these FPs some weeks ago and added an extra check on new ClamAV signatures to prevent them from alerting on legitimate URLhaus content. We are currently updating older ClamAV signatures to ensure they don't FP on non-malicious HTML files.

Best regards,

Lilia Gonzalez

Malware Research Team

Cisco Talos

On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion@nwra.com> wrote:

Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
signature? We're seeing following URLs trigger it:

https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt

Which seems to be the online update URLs for the urlhaus filter. Does ClamAV
deem urlhaus a bad actor?

Thanks,
Orion

--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml