On 2009-03-24 13:40, Matus UHLAR - fantomas wrote: >> On Wed, 11 Mar 2009 17:56:22 +0000 >> Ian Eiloart <i...@sussex.ac.uk> wrote: >> >>> That sounds good. What does it do, though? >>> My guess is that it enables freshclam to download copies of files >>> containing URLs that Google considers "unsafe", and then clamd will >>> block emails that contain those URLs. Is that right? >>> > > On 12.03.09 09:11, Spiro Harvey wrote: > >> http://code.google.com/apis/safebrowsing/ >> >> Sounds like it.. might be possible to check realtime too.. but the >> quick blurb on the site just mentions downloading a lookup table to the >> local machine. >> >> Looks good to me tho. >> > > Yes, but I found this question quite important and "Seems like it" is not > satisfactory answer. Customers may (and already did) send us notices about > unsafe pages in our hosting (shit happens, while clamav works good for > rejecting infected files, it doesnt for .htaccess containing Rewrite*), and > I'd like such mail _not_ to be blocked by clamav... >
You can match on the virusname "^Safebrowsing.+", and send those messages to a different folder. If it is about customers reporting unsafe pages, then you wouldn't want that to go to the spam folder either, would you? Files that are match by a signature in the safebrowsing.cvd have lower precedence than other signatures, so scanning just once should be enough. Even if someone sends an email containing both something matched by a signature (malware, signature-based phishing) and something matched by the anti-phishing code (Google Safe Browsing, heuristics ...), the (malware) signatures take precedence. This works even when scanning archives: by default clamav only stops scanning when it matches a signature, not when matching based on phishing heuristics, or safebrowsing entries. You can then filter based on the virusname, if you want to treat phishing/safebrowsing-blacklisted entries as spam. > I'm also surprised that safebrowsing is an option only for freshclam. Some > people reported running two instances of clamav, one with > "PhishingSignatures off" for SMTP-level filtering, one with "on" for spam > filter. Seems this won't be possible with safebrowsing database... > > Turning off the heuristic-based phishing detection also turns off the use of safebrowsing.cvd: "PhishingScanURLs off" So if you don't want to scan for phishing at SMTP-level: PhishingSignatures off PhishingScanURLs off Would there be a situation where you want PhishingScanURLs to be On, yet Google Safe Browsing Off? Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
