On 2009-12-11 22:08, Tom Shaw wrote: > At 9:31 PM +0200 12/11/09, Török Edwin wrote: >> On 2009-12-11 21:14, Tom Shaw wrote: >>> At 3:53 PM +0200 12/10/09, Török Edwin wrote: >> >> On 2009-12-10 15:41, Sundara Kaku wrote: >> The heuristic phishing detector only works on emails correctly, not >> websites by design, hence there is no point >> in running it on downloaded webpages. Why? Because a phishing email >> contains a link <a href="...evilurl..."> email of banksite </a>, >> a phishing website will contain a login form looking similar to a >> banksite. >> These are very different things. > > True, but we have seen phishing sites that start with a front page > that does contain links like <a href="...evilurl..."> update you data > </a> so disabling the heuristic phishing detector would be counter > productive.
For the heuristic detector to work both the href target and the displayed text must be/contain a URL. Also the heuristic detector was tested for false positives (and has a whitelist) only for links commonly used in emails. I think you would have false positive if it'd be enabled for all HTML files. > >> Safebrowsing was only used on links found in emails by design, links >> found in other HTML files are not checked to improve performance, >> and because there are other ways to protect web browsers from malicious >> URLs listed in the safebrowsing DB in near realtime (for example >> firefox). > > Again this doesn't help when scanning a server for planted files etc. > > > Possible these should be options for clamdscan and clamscan for file > based scanning? Safebrowsing could be, see this bugreport: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1475 Implementing this is currently unplanned. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
