Are you writing your rule to detect the correct file type? Sent from my iPad
> On Jul 29, 2020, at 06:02, [email protected] wrote: > > hi @ all, > > i use postfix, amavisd and clamav with urlhaus ndb (for ClamAV) sig from > urlhaus.abuse.ch. if i send or receive a mail with a hyperlink - realURL/ > displayURL like : > > ... > ... > <a href="https:// example-from-urlhaus.[com/link/to/location/">https:// > foo-bar-anything-blubb.[com/happy-malware-fakename</a><o:p></o:p></p> > ... > ... > > clamav does not recognize this. but, if I place the link directly in the mail > body (HTML format) clamav recognizes this: > > clamd[25845]: > /var/amavis/tmp/amavis-20200729T082557-25999-Hy3LWJ3x/parts/p004: > URLhaus.421252.UNOFFICIAL FOUND > > And when i create a yara rule with the link to urlhaus.abuse.ch it detects > the badevil-url link without problems. > for example: > > ... > LibClamAV debug: FP SIGNATURE: > cef114bc2adc4caeaf51f716ba3c1611:923:YARA.spam_subject.UNOFFICIAL > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: YARA.spam_subject.UNOFFICIAL found > > > you can tell what I'm doing wrong? > > BR, Bert > > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
