Thanks for the explanation, Alain. Makes a lot of sense to keep those signatures dynamically current.
Sent from my iPad -Al- On Dec 12, 2018, at 07:17, Alain Zidouemba wrote: > The Phistank URLs being dropped from daily.cvd have nothing to do with false > positives. We are just rotating in and out the top phishing URLs based on > number DNS lookups per hour. > > - Alain > >> On Wed, Dec 12, 2018 at 6:23 AM Joel Esler (jesler) <[email protected]> wrote: >> Not sure. Perhaps Alain can chime in. My team also runs the Phishtank >> project, so this is about making our different properties work together >> through the official signature set in a supported way. If false positives >> are reported on the phishtank sigs through ClamAV.net, they are >> automatically routed to my team for resolution in the phishtank feed and in >> ClamAV. >> >> Sent from my iPhone >> >>> On Dec 12, 2018, at 03:59, Al Varnell <[email protected]> wrote: >>> >>> You mentioned earlier that ClamAV has recently added signatures from >>> PhishTank, but I've noticed over the last few days that most, if not all of >>> them have been removed. Should I conclude that the PhishTank organization >>> signatures are resulting in a high False Positive count? Are they simply >>> accepting all the submissions they get as valid fishing attempts and not >>> QAing them before release? >>> >>> Part of my interest is that I've been providing input to them for years >>> after first establishing that the spam e-mail I received is from an address >>> that doesn't match the purported notice of impeding doom and offer to fix >>> by clicking a link which does not match the announced domain? I'm not sure >>> all users would go to such lengths and might be forwarding all their spam >>> to these folks. Or perhaps some are flooding the site with valid url's in >>> an attempt defeat their purpose. >>> >>> -Al- >>> >>>> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote: >>>> Hi Sunny, >>>> >>>> I meant to say that if I scanned a saved email file containing the >>>> malicious URL in an HTML link (i.e. a href=link ), then it will detect >>>> the link with the safebrowsing signature. However, if the malicious URL >>>> is not an HTML link, for example if the email content is plain text, then >>>> the safebrowsing signature does not appear to alert. >>>> >>>> Regards, >>>> Micah >>>> >>>> Micah Snyder >>>> ClamAV Development >>>> Talos >>>> Cisco Systems, Inc. >>>> >>>> >>>>> On Dec 11, 2018, at 8:58 AM, Sunny Marwah <[email protected]> wrote: >>>>> >>>>> Hi Al, >>>>> >>>>> Thanks for sharing that reply. >>>>> >>>>> Do you mean ClamAV did not detect that file (containing deceptive link) >>>>> as 'Infected" in your scanning ? >>>>> >>>>> FYI, i have also tried Google's Safebrowsing API to check such deceptive >>>>> links. >>>>> >>>>> It was really strange to know that even Google's Safebrowsing lookup API >>>>> did not detect that file as 'Unsafe'. The reason behind is the deceptive >>>>> link is phishing link but not malware. >>>>> >>>>> So Google's Safebrowsing lookup API will identify only Malware links as >>>>> 'Unsafe' but not all deceptive links. However, when i check the same URL >>>>> on "https://transparencyreport.google.com/safe-browsing/search";, then it >>>>> shows 'site is unsafe' what i am actually looking for. >>>>> >>>>> Regards >>>>> Sunny >>>>> >>>>>> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell <[email protected]> wrote: >>>>>> Here was the earlier reply to your question >>>>>> <http://lists.clamav.net/pipermail/clamav-users/2018-December/007245.html>. >>>>>> >>>>>> Sent from my iPad >>>>>> >>>>>> -Al- >>>>>> >>>>>>> On Dec 10, 2018, at 21:46, Sunny Marwah <[email protected]> wrote: >>>>>>> Same question again : Chrome don't open malicious links due to labeling >>>>>>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to >>>>>>> identify such malicious links when "Safebrowsing" option is already >>>>>>> enabled ?? >>>>>>> >>>>>>>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) >>>>>>>> <[email protected]> wrote: >>>>>>>> Our replies may be getting filtered by your email provider because you >>>>>>>> included a malicious link in the email chain. :D I removed the link >>>>>>>> from this reply. >>>>>>>> >>>>>>>> >>>>>>>> Micah Snyder >>>>>>>> ClamAV Development >>>>>>>> Talos >>>>>>>> Cisco Systems, Inc. >>>>>>>> >>>>>>>> >>>>>>>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Still no reply on this matter. >>>>> >>>>> >>>>> -- >>>>> Regards >>>>> Sunny
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
