On Wed, Jan 22, 2014 at 10:25 AM, Alex <[email protected]> wrote:
> Hi, > > On Tue, Jan 21, 2014 at 2:15 PM, Charles Swiger <[email protected]> wrote: > > On Jan 21, 2014, at 10:40 AM, Alex <[email protected]> wrote: > >> I received a number of messages on the 17th that were tagged > incorrectly with: > >> > >> X-Amavis-Alert: INFECTED, message contains virus: > >> > Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net > >> > >> I tried to figure out what the pattern was, but apparently it no longer > exists? > > > > There is no specific pattern responsible for the "Heuristics" type. > > > > Basically, it generally indicates that the email contains URLs which > take one to a > > different site than what is being displayed to the user. The > "safebrowsing" string > > also suggests that one of the domains in question was listed on Google's > blacklist > > of sites containing suspected malware. > > So I can assume that since clamscan no longer finds a virus, that the > string that triggered the false-positive is no longer part of the > blacklist? > > The reference to the FAQ doesn't seem to be all that helpful. How can > I extract the contents of the safebrowsing.cvd file to determine its > contents? > > Thanks, > Alex > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > All of the safebrowsing.cvd content comes from Google's SafeBrowsing list. If the site was blacklisted at the time, then the site probably remediated the issue and reached out to Google to get off of the blacklist, and that would have been reflected in a safebrowsing.cvd update. As for safebrowsing.cvd content, you can unpack any CVD using ClamAV's sigtool with the --unpack option. Details on how to read the signatures in there are outlined in the phishsigs_howto.pdf file. I can tell you that your alert came from one of the "S2" lines in the GDB file [format described in Section 1.2 of the PDF]. Dave R. -- --- Dave Raynor Vulnerability Research Team [email protected] _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
