your.local.ndb file:
"signame.1:4:*:" . bin2hex("http://bad.domain.com/path";) . "\n";
"signame.2:5:*:" . bin2hex("http://bad.domain.com/path";) . "\n";
On Mar 30, 2015, at 2:34 PM, Dave McMurtrie <[email protected]> wrote:
> Hi,
>
> Hopefully someone here can steer me in the right direction. I'm looking for
> a simple way to be able to create a local signature such that when we become
> aware of a phishing message targeting our users that contains a malicious
> URL, I can quickly respond by configuring ClamAV to identify them so we can
> block them.
>
> After reading the phishsigs_howto, it looks like adding entries to a
> local.gdb file would accomplish what I want, but thus far that isn't working
> for me. I'm fairly certain that I have the format correct because clamdscan
> is properly detecting messages with URLs that I put in my local.gdb file.
> However, clamd is not detecting the URLs when our milter code connects to the
> clamd socket. The difference seems to be whether it's in the context of
> scanning a file or a mail message, since debug output shows me that it's
> taking a different code path. I posted to the list earlier with more
> specific questions about this, but never did track it down.
>
> My questions:
>
> 1) Is the local.gdb file even intended for this purpose?
>
> 2) Is there a better way to accomplish this?
>
> Thanks!
>
> Dave
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
