Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-12 Thread Al Varnell 
Thanks for the explanation, Alain. Makes a lot of sense to keep those 
signatures dynamically current.

Sent from my iPad

-Al-

On Dec 12, 2018, at 07:17, Alain Zidouemba wrote:
> The Phistank URLs being dropped from daily.cvd have nothing to do with false 
> positives. We are just rotating in and out the top phishing URLs based on 
> number DNS lookups per hour.
> 
> - Alain
> 
>> On Wed, Dec 12, 2018 at 6:23 AM Joel Esler (jesler)  wrote:
>> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank 
>> project, so this is about making our different properties work together 
>> through the official signature set in a supported way.  If false positives 
>> are reported on the phishtank sigs through ClamAV.net, they are 
>> automatically routed to my team for resolution in the phishtank feed and in 
>> ClamAV.  
>> 
>> Sent from my  iPhone
>> 
>>> On Dec 12, 2018, at 03:59, Al Varnell  wrote:
>>> 
>>> You mentioned earlier that ClamAV has recently added signatures from 
>>> PhishTank, but I've noticed over the last few days that most, if not all of 
>>> them have been removed. Should I conclude that the PhishTank organization 
>>> signatures are resulting in a high False Positive count? Are they simply 
>>> accepting all the submissions they get as valid fishing attempts and not 
>>> QAing them before release?
>>> 
>>> Part of my interest is that I've been providing input to them for years 
>>> after first establishing that the spam e-mail I received is from an address 
>>> that doesn't match the purported notice of impeding doom and offer to fix 
>>> by clicking a link which does not match the announced domain? I'm not sure 
>>> all users would go to such lengths and might be forwarding all their spam 
>>> to these folks. Or perhaps some are flooding the site with valid url's in 
>>> an attempt defeat their purpose.
>>> 
>>> -Al-
>>> 
 On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
 Hi Sunny,
 
 I meant to say that if I scanned a saved email file containing the 
 malicious URL in an HTML link (i.e.   a href=link  ), then it will detect 
 the link with the safebrowsing signature.  However, if the malicious URL 
 is not an HTML link, for example if the email content is plain text, then 
 the safebrowsing signature does not appear to alert. 
 
 Regards,
 Micah
  
 Micah Snyder
 ClamAV Development
 Talos
 Cisco Systems, Inc.
 
 
> On Dec 11, 2018, at 8:58 AM, Sunny Marwah  wrote:
> 
> Hi Al,
> 
> Thanks for sharing that reply.
> 
> Do you mean ClamAV did not detect that file (containing deceptive link) 
> as 'Infected" in your scanning ?
> 
> FYI, i have also tried Google's Safebrowsing API to check such deceptive 
> links.
> 
> It was really strange to know that even Google's Safebrowsing lookup API 
> did not detect that file as 'Unsafe'. The reason behind is the deceptive 
> link is phishing link but not malware.
> 
> So Google's Safebrowsing lookup API will identify only Malware links as 
> 'Unsafe' but not all deceptive links. However, when i check the same URL 
> on "https://transparencyreport.google.com/safe-browsing/search;, then it 
> shows 'site is unsafe' what i am actually looking for.
> 
> Regards
> Sunny
> 
>> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:
>> Here was the earlier reply to your question
>> .
>> 
>> Sent from my iPad
>> 
>> -Al-
>> 
>>> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
>>> Same question again : Chrome don't open malicious links due to labeling 
>>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to 
>>> identify such malicious links when "Safebrowsing" option is already 
>>> enabled ??  
>>> 
 On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
  wrote:
 Our replies may be getting filtered by your email provider because you 
 included a malicious link in the email chain. :D  I removed the link 
 from this reply. 
 
  
 Micah Snyder
 ClamAV Development
 Talos
 Cisco Systems, Inc.
 
 
> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  
> wrote:
> 
> 
> Still no reply on this matter. 
> 
> 
> -- 
> Regards
> Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-12 Thread Joel Esler (jesler) 
Thanks Alain.

> On Dec 12, 2018, at 10:17 AM, Alain Zidouemba  
> wrote:
> 
> The Phistank URLs being dropped from daily.cvd have nothing to do with false 
> positives. We are just rotating in and out the top phishing URLs based on 
> number DNS lookups per hour.
> 
> - Alain
> 
> On Wed, Dec 12, 2018 at 6:23 AM Joel Esler (jesler)  > wrote:
> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank 
> project, so this is about making our different properties work together 
> through the official signature set in a supported way.  If false positives 
> are reported on the phishtank sigs through ClamAV.net , 
> they are automatically routed to my team for resolution in the phishtank feed 
> and in ClamAV.  
> 
> Sent from my  iPhone
> 
> On Dec 12, 2018, at 03:59, Al Varnell  > wrote:
> 
>> You mentioned earlier that ClamAV has recently added signatures from 
>> PhishTank, but I've noticed over the last few days that most, if not all of 
>> them have been removed. Should I conclude that the PhishTank organization 
>> signatures are resulting in a high False Positive count? Are they simply 
>> accepting all the submissions they get as valid fishing attempts and not 
>> QAing them before release?
>> 
>> Part of my interest is that I've been providing input to them for years 
>> after first establishing that the spam e-mail I received is from an address 
>> that doesn't match the purported notice of impeding doom and offer to fix by 
>> clicking a link which does not match the announced domain? I'm not sure all 
>> users would go to such lengths and might be forwarding all their spam to 
>> these folks. Or perhaps some are flooding the site with valid url's in an 
>> attempt defeat their purpose.
>> 
>> -Al-
>> 
>> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>>> Hi Sunny,
>>> 
>>> I meant to say that if I scanned a saved email file containing the 
>>> malicious URL in an HTML link (i.e.   a href=link  ), then it will detect 
>>> the link with the safebrowsing signature.  However, if the malicious URL is 
>>> not an HTML link, for example if the email content is plain text, then the 
>>> safebrowsing signature does not appear to alert. 
>>> 
>>> Regards,
>>> Micah
>>>  
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>> 
>>> 
 On Dec 11, 2018, at 8:58 AM, Sunny Marwah >>> > wrote:
 
 Hi Al,
 
 Thanks for sharing that reply.
 
 Do you mean ClamAV did not detect that file (containing deceptive link) as 
 'Infected" in your scanning ?
 
 FYI, i have also tried Google's Safebrowsing API to check such deceptive 
 links.
 
 It was really strange to know that even Google's Safebrowsing lookup API 
 did not detect that file as 'Unsafe'. The reason behind is the deceptive 
 link is phishing link but not malware.
 
 So Google's Safebrowsing lookup API will identify only Malware links as 
 'Unsafe' but not all deceptive links. However, when i check the same URL 
 on "https://transparencyreport.google.com/safe-browsing/search 
 ", then it 
 shows 'site is unsafe' what i am actually looking for.
 
 Regards
 Sunny
 
 On Tue, Dec 11, 2018 at 5:28 PM Al Varnell >>> > wrote:
 Here was the earlier reply to your question
 >.
 
 Sent from my iPad
 
 -Al-
 
 On Dec 10, 2018, at 21:46, Sunny Marwah >>> > wrote:
> Same question again : Chrome don't open malicious links due to labeling 
> them dangerous as per "Safebrowsing". Then why ClamAV is not able to 
> identify such malicious links when "Safebrowsing" option is already 
> enabled ??  
> 
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
>> mailto:micas...@cisco.com>> wrote:
> Our replies may be getting filtered by your email provider because you 
> included a malicious link in the email chain. :D  I removed the link from 
> this reply. 
> 
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah > > wrote:
>> 
>> 
>> Still no reply on this matter. 
 
 
 -- 
 Regards
 Sunny
 System Engineer
 Mob : +91 9711155549 
 
 ___
 clamav-users mailing list
 clamav-users@lists.clamav.net 
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-12 Thread Alain Zidouemba 
The Phistank URLs being dropped from daily.cvd have nothing to do with
false positives. We are just rotating in and out the top phishing URLs
based on number DNS lookups per hour.

- Alain

On Wed, Dec 12, 2018 at 6:23 AM Joel Esler (jesler) 
wrote:

> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank
> project, so this is about making our different properties work together
> through the official signature set in a supported way.  If false positives
> are reported on the phishtank sigs through ClamAV.net, they are
> automatically routed to my team for resolution in the phishtank feed and in
> ClamAV.
>
> Sent from my  iPhone
>
> On Dec 12, 2018, at 03:59, Al Varnell  wrote:
>
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all of
> them have been removed. Should I conclude that the PhishTank organization
> signatures are resulting in a high False Positive count? Are they simply
> accepting all the submissions they get as valid fishing attempts and not
> QAing them before release?
>
> Part of my interest is that I've been providing input to them for years
> after first establishing that the spam e-mail I received is from an address
> that doesn't match the purported notice of impeding doom and offer to fix
> by clicking a link which does not match the announced domain? I'm not sure
> all users would go to such lengths and might be forwarding all their spam
> to these folks. Or perhaps some are flooding the site with valid url's in
> an attempt defeat their purpose.
>
> -Al-
>
> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>
> Hi Sunny,
>
> I meant to say that if I scanned a saved email file containing the
> malicious URL in an HTML link (i.e.   a href=link  ), then it will detect
> the link with the safebrowsing signature.  However, if the malicious URL is
> not an HTML link, for example if the email content is plain text, then the
> safebrowsing signature does not appear to alert.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 11, 2018, at 8:58 AM, Sunny Marwah  wrote:
>
> Hi Al,
>
> Thanks for sharing that reply.
>
> Do you mean ClamAV did not detect that file (containing deceptive link) as
> 'Infected" in your scanning ?
>
> FYI, i have also tried Google's Safebrowsing API to check such deceptive
> links.
>
> It was really strange to know that even Google's Safebrowsing lookup API
> did not detect that file as 'Unsafe'. The reason behind is the deceptive
> link is phishing link but not malware.
>
> So Google's Safebrowsing lookup API will identify only Malware links as
> 'Unsafe' but not all deceptive links. However, when i check the same URL on
> "https://transparencyreport.google.com/safe-browsing/search;, then it
> shows 'site is unsafe' what i am actually looking for.
>
> Regards
> Sunny
>
> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:
>
>> Here was the earlier reply to your question
>> > >.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
>>
>> Same question again : Chrome don't open malicious links due to labeling
>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to
>> identify such malicious links when "Safebrowsing" option is already enabled
>> ??
>>
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) <
>> micas...@cisco.com> wrote:
>>
>> Our replies may be getting filtered by your email provider because you
>>> included a malicious link in the email chain. :D  I removed the link from
>>> this reply.
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>>
>>>
>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>>>
>>>
>>> Still no reply on this matter.
>>>
>>>
>
> --
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549 <+91%209711155549>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-12 Thread Sunny Marwah 
Hi Micah,

I checked the what you suggested.

I put that deceptive link as an hyperlink like href=link in html file and
scanned the file.

Still, ClamAV did not detect that file as 'Infected'. It gave OK to that
file.

Regards
Sunny

On Wed, Dec 12, 2018 at 5:53 PM Joel Esler (jesler) 
wrote:

> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank
> project, so this is about making our different properties work together
> through the official signature set in a supported way.  If false positives
> are reported on the phishtank sigs through ClamAV.net, they are
> automatically routed to my team for resolution in the phishtank feed and in
> ClamAV.
>
> Sent from my  iPhone
>
> On Dec 12, 2018, at 03:59, Al Varnell  wrote:
>
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all of
> them have been removed. Should I conclude that the PhishTank organization
> signatures are resulting in a high False Positive count? Are they simply
> accepting all the submissions they get as valid fishing attempts and not
> QAing them before release?
>
> Part of my interest is that I've been providing input to them for years
> after first establishing that the spam e-mail I received is from an address
> that doesn't match the purported notice of impeding doom and offer to fix
> by clicking a link which does not match the announced domain? I'm not sure
> all users would go to such lengths and might be forwarding all their spam
> to these folks. Or perhaps some are flooding the site with valid url's in
> an attempt defeat their purpose.
>
> -Al-
>
> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>
> Hi Sunny,
>
> I meant to say that if I scanned a saved email file containing the
> malicious URL in an HTML link (i.e.   a href=link  ), then it will detect
> the link with the safebrowsing signature.  However, if the malicious URL is
> not an HTML link, for example if the email content is plain text, then the
> safebrowsing signature does not appear to alert.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 11, 2018, at 8:58 AM, Sunny Marwah  wrote:
>
> Hi Al,
>
> Thanks for sharing that reply.
>
> Do you mean ClamAV did not detect that file (containing deceptive link) as
> 'Infected" in your scanning ?
>
> FYI, i have also tried Google's Safebrowsing API to check such deceptive
> links.
>
> It was really strange to know that even Google's Safebrowsing lookup API
> did not detect that file as 'Unsafe'. The reason behind is the deceptive
> link is phishing link but not malware.
>
> So Google's Safebrowsing lookup API will identify only Malware links as
> 'Unsafe' but not all deceptive links. However, when i check the same URL on
> "https://transparencyreport.google.com/safe-browsing/search;, then it
> shows 'site is unsafe' what i am actually looking for.
>
> Regards
> Sunny
>
> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:
>
>> Here was the earlier reply to your question
>> > >.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
>>
>> Same question again : Chrome don't open malicious links due to labeling
>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to
>> identify such malicious links when "Safebrowsing" option is already enabled
>> ??
>>
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) <
>> micas...@cisco.com> wrote:
>>
>> Our replies may be getting filtered by your email provider because you
>>> included a malicious link in the email chain. :D  I removed the link from
>>> this reply.
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>>
>>>
>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>>>
>>>
>>> Still no reply on this matter.
>>>
>>>
>
> --
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
>

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-12 Thread Joel Esler (jesler) 
Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank 
project, so this is about making our different properties work together through 
the official signature set in a supported way.  If false positives are reported 
on the phishtank sigs through ClamAV.net, they are automatically routed to my 
team for resolution in the phishtank feed and in ClamAV.  

Sent from my  iPhone

> On Dec 12, 2018, at 03:59, Al Varnell  wrote:
> 
> You mentioned earlier that ClamAV has recently added signatures from 
> PhishTank, but I've noticed over the last few days that most, if not all of 
> them have been removed. Should I conclude that the PhishTank organization 
> signatures are resulting in a high False Positive count? Are they simply 
> accepting all the submissions they get as valid fishing attempts and not 
> QAing them before release?
> 
> Part of my interest is that I've been providing input to them for years after 
> first establishing that the spam e-mail I received is from an address that 
> doesn't match the purported notice of impeding doom and offer to fix by 
> clicking a link which does not match the announced domain? I'm not sure all 
> users would go to such lengths and might be forwarding all their spam to 
> these folks. Or perhaps some are flooding the site with valid url's in an 
> attempt defeat their purpose.
> 
> -Al-
> 
>> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>> Hi Sunny,
>> 
>> I meant to say that if I scanned a saved email file containing the malicious 
>> URL in an HTML link (i.e.   a href=link  ), then it will detect the link 
>> with the safebrowsing signature.  However, if the malicious URL is not an 
>> HTML link, for example if the email content is plain text, then the 
>> safebrowsing signature does not appear to alert. 
>> 
>> Regards,
>> Micah
>>  
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> 
>> 
>>> On Dec 11, 2018, at 8:58 AM, Sunny Marwah  wrote:
>>> 
>>> Hi Al,
>>> 
>>> Thanks for sharing that reply.
>>> 
>>> Do you mean ClamAV did not detect that file (containing deceptive link) as 
>>> 'Infected" in your scanning ?
>>> 
>>> FYI, i have also tried Google's Safebrowsing API to check such deceptive 
>>> links.
>>> 
>>> It was really strange to know that even Google's Safebrowsing lookup API 
>>> did not detect that file as 'Unsafe'. The reason behind is the deceptive 
>>> link is phishing link but not malware.
>>> 
>>> So Google's Safebrowsing lookup API will identify only Malware links as 
>>> 'Unsafe' but not all deceptive links. However, when i check the same URL on 
>>> "https://transparencyreport.google.com/safe-browsing/search;, then it shows 
>>> 'site is unsafe' what i am actually looking for.
>>> 
>>> Regards
>>> Sunny
>>> 
 On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:
 Here was the earlier reply to your question
 .
 
 Sent from my iPad
 
 -Al-
 
> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
> Same question again : Chrome don't open malicious links due to labeling 
> them dangerous as per "Safebrowsing". Then why ClamAV is not able to 
> identify such malicious links when "Safebrowsing" option is already 
> enabled ??  
> 
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
>>  wrote:
>> Our replies may be getting filtered by your email provider because you 
>> included a malicious link in the email chain. :D  I removed the link 
>> from this reply. 
>> 
>>  
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> 
>> 
>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>>> 
>>> 
>>> Still no reply on this matter. 
>>> 
>>> 
>>> -- 
>>> Regards
>>> Sunny
>>> System Engineer
>>> Mob : +91 9711155549
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> 
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-12 Thread Steve Basford 


On Wed, December 12, 2018 8:59 am, Al Varnell wrote:
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all
> of them have been removed. Should I conclude that the PhishTank
> organization signatures are resulting in a high False Positive count? Are
> they simply accepting all the submissions they get as valid fishing
> attempts and not QAing them before release?

Not sure but just to add that phishtank.ndb is still up and running and
has been for quite some time...  so might end up with some duplicates for
those already using phishtank.ndb:

eg

phishtank.ndb:

VIRUS NAME: PhishTank.Phishing.5433945
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
{STRING_ALTERNATIVE:.|/}trck DOT me/459690/

vs

daily.ndb:

VIRUS NAME: Phishtank.Phishing.PHISH_ID_5433945-6762532-0
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
http://trck DOT me/459690/

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-12 Thread Al Varnell 
You mentioned earlier that ClamAV has recently added signatures from PhishTank, 
but I've noticed over the last few days that most, if not all of them have been 
removed. Should I conclude that the PhishTank organization signatures are 
resulting in a high False Positive count? Are they simply accepting all the 
submissions they get as valid fishing attempts and not QAing them before 
release?

Part of my interest is that I've been providing input to them for years after 
first establishing that the spam e-mail I received is from an address that 
doesn't match the purported notice of impeding doom and offer to fix by 
clicking a link which does not match the announced domain? I'm not sure all 
users would go to such lengths and might be forwarding all their spam to these 
folks. Or perhaps some are flooding the site with valid url's in an attempt 
defeat their purpose.

-Al-

On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
> Hi Sunny,
> 
> I meant to say that if I scanned a saved email file containing the malicious 
> URL in an HTML link (i.e.   a href=link  ), then it will detect the link with 
> the safebrowsing signature.  However, if the malicious URL is not an HTML 
> link, for example if the email content is plain text, then the safebrowsing 
> signature does not appear to alert. 
> 
> Regards,
> Micah
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
>> On Dec 11, 2018, at 8:58 AM, Sunny Marwah > > wrote:
>> 
>> Hi Al,
>> 
>> Thanks for sharing that reply.
>> 
>> Do you mean ClamAV did not detect that file (containing deceptive link) as 
>> 'Infected" in your scanning ?
>> 
>> FYI, i have also tried Google's Safebrowsing API to check such deceptive 
>> links.
>> 
>> It was really strange to know that even Google's Safebrowsing lookup API did 
>> not detect that file as 'Unsafe'. The reason behind is the deceptive link is 
>> phishing link but not malware.
>> 
>> So Google's Safebrowsing lookup API will identify only Malware links as 
>> 'Unsafe' but not all deceptive links. However, when i check the same URL on 
>> "https://transparencyreport.google.com/safe-browsing/search 
>> ", then it shows 
>> 'site is unsafe' what i am actually looking for.
>> 
>> Regards
>> Sunny
>> 
>> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell > > wrote:
>> Here was the earlier reply to your question
>> > >.
>> 
>> Sent from my iPad
>> 
>> -Al-
>> 
>> On Dec 10, 2018, at 21:46, Sunny Marwah > > wrote:
>>> Same question again : Chrome don't open malicious links due to labeling 
>>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to 
>>> identify such malicious links when "Safebrowsing" option is already enabled 
>>> ??  
>>> 
 On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) >>> > wrote:
>>> Our replies may be getting filtered by your email provider because you 
>>> included a malicious link in the email chain. :D  I removed the link from 
>>> this reply. 
>>> 
>>>  
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>> 
>>> 
 On Dec 8, 2018, at 9:17 AM, Sunny Marwah >>> > wrote:
 
 
 Still no reply on this matter. 
>> 
>> 
>> -- 
>> Regards
>> Sunny
>> System Engineer
>> Mob : +91 9711155549 
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
>> 
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> 
>> 
>> http://www.clamav.net/contact.html#ml 
> 

-Al-
-- 
Al Varnell
Mountain View, CA




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Micah Snyder (micasnyd) 
Hi Sunny,

I meant to say that if I scanned a saved email file containing the malicious 
URL in an HTML link (i.e.   a href=link  ), then it will detect the link with 
the safebrowsing signature.  However, if the malicious URL is not an HTML link, 
for example if the email content is plain text, then the safebrowsing signature 
does not appear to alert.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 11, 2018, at 8:58 AM, Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:

Hi Al,

Thanks for sharing that reply.

Do you mean ClamAV did not detect that file (containing deceptive link) as 
'Infected" in your scanning ?

FYI, i have also tried Google's Safebrowsing API to check such deceptive links.

It was really strange to know that even Google's Safebrowsing lookup API did 
not detect that file as 'Unsafe'. The reason behind is the deceptive link is 
phishing link but not malware.

So Google's Safebrowsing lookup API will identify only Malware links as 
'Unsafe' but not all deceptive links. However, when i check the same URL on 
"https://transparencyreport.google.com/safe-browsing/search;, then it shows 
'site is unsafe' what i am actually looking for.

Regards
Sunny

On Tue, Dec 11, 2018 at 5:28 PM Al Varnell 
mailto:alvarn...@mac.com>> wrote:
Here was the earlier reply to your question
.

Sent from my iPad

-Al-

On Dec 10, 2018, at 21:46, Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:
Same question again : Chrome don't open malicious links due to labeling them 
dangerous as per "Safebrowsing". Then why ClamAV is not able to identify such 
malicious links when "Safebrowsing" option is already enabled ??

On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
mailto:micas...@cisco.com>> wrote:
Our replies may be getting filtered by your email provider because you included 
a malicious link in the email chain. :D  I removed the link from this reply.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 8, 2018, at 9:17 AM, Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:


Still no reply on this matter.


--
Regards
Sunny
System Engineer
Mob : +91 9711155549

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Al Varnell 
Sunny,

Please note that the reply was not from me, rather it was from "Micah Snyder 
(micasnyd)" , ClamAV Engineer. You need to ask him for any 
additional  details.

Also, you are correct that safebrowsing.cld is just an updated, decompressed 
version of safebrowsing.cvd.

-Al-

On Tue, Dec 11, 2018 at 05:58 AM, Sunny Marwah wrote:
> Hi Al,
> 
> Thanks for sharing that reply.
> 
> Do you mean ClamAV did not detect that file (containing deceptive link) as 
> 'Infected" in your scanning ?
> 
> FYI, i have also tried Google's Safebrowsing API to check such deceptive 
> links.
> 
> It was really strange to know that even Google's Safebrowsing lookup API did 
> not detect that file as 'Unsafe'. The reason behind is the deceptive link is 
> phishing link but not malware.
> 
> So Google's Safebrowsing lookup API will identify only Malware links as 
> 'Unsafe' but not all deceptive links. However, when i check the same URL on 
> "https://transparencyreport.google.com/safe-browsing/search 
> ", then it shows 
> 'site is unsafe' what i am actually looking for.
> 
> Regards
> Sunny
> 
> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  > wrote:
> Here was the earlier reply to your question
>  >.
> 
> Sent from my iPad
> 
> -Al-
> 
> On Dec 10, 2018, at 21:46, Sunny Marwah  > wrote:
>> Same question again : Chrome don't open malicious links due to labeling them 
>> dangerous as per "Safebrowsing". Then why ClamAV is not able to identify 
>> such malicious links when "Safebrowsing" option is already enabled ??  
>> 
>>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) >> > wrote:
>> Our replies may be getting filtered by your email provider because you 
>> included a malicious link in the email chain. :D  I removed the link from 
>> this reply. 
>> 
>>  
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> 
>> 
>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah >> > wrote:
>>> 
>>> 
>>> Still no reply on this matter. 
> 
> 
> Regards
> Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Dennis Peterson 
Yes - the extension can be one or the other. The other thing to check is the 
file ownership and permissions, and finally to search your clamd.log file (or 
what ever it is called on your system) for "FOUND". If it is a useful signature 
source your logs should indicate clamd is finding targets from the safebrowsing 
signature file. In your freshclam log you should see the safebrowing file is 
being updated from time to time. My own system, with rare exception, only ever 
finds Sane Security signatures, and most http links are caught by my milter via 
dns-based URLBL blacklists before it sends the messages to Clamd.


dp

On 12/11/18 3:54 AM, Sunny Marwah wrote:

I can see below files in /var/lib/clamav/ directory :

main.cvd
bytecode.cvd
safebrowsing.cld
daily.cld
mirrors.dat

But it is 'safebrowsing.cld', not 'safebrowsing.cvd'.

Is it Ok ??



On Tue, Dec 11, 2018 at 1:47 PM Dennis Peterson > wrote:


In your ClamAV signature folder does there exist a safebrowsing.cvd file?

dp

On 12/10/18 9:46 PM, Sunny Marwah wrote:
>
> Same question again : Chrome don't open malicious links due to labeling
them
> dangerous as per "Safebrowsing". Then why ClamAV is not able to identify
such
> malicious links when "Safebrowsing" option is already enabled ??

___
clamav-users mailing list
clamav-users@lists.clamav.net 
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



--
Regards
Sunny
System Engineer
Mob : +91 9711155549


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Steve Basford 


On Tue, December 11, 2018 1:58 pm, Sunny Marwah wrote:

Hi Sunny/All,

Here's the summary

The phishing attempt looks like this html code:

h-t-t-p-s:/-/-pastebin DOT com/TL5WUJZh

This first link is just a hijacked graphic and won't be in safebrowsing...

h-t-t-p-s:-/-/gokdenizhealthtourism DOT com/js/logo.gif

This next link, is the bad" phishing link is:

h-t-t-p-s:/-/-nompao DOT com/boa.php

The above link is currently blank and isn't in currently safebrowsing,
however, you can report it here:

https://safebrowsing.google.com/safebrowsing/report_badware/

VirusTotal is showing a clean link too on the phishing link:

https://www.virustotal.com/#/url/27abfb7ec2849ebadf75dcf899bc0f2aa3a491897bcef3ad2179ed30bb2eb258/detection


You can submit the sample to ClamAV to add detection of the phish contents
here (regardless of the url's that are being used)

https://www.clamav.net/reports/malware

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Sunny Marwah 
Hi Al,

Thanks for sharing that reply.

Do you mean ClamAV did not detect that file (containing deceptive link) as
'Infected" in your scanning ?

FYI, i have also tried Google's Safebrowsing API to check such deceptive
links.

It was really strange to know that even Google's Safebrowsing lookup API
did not detect that file as 'Unsafe'. The reason behind is the deceptive
link is phishing link but not malware.

So Google's Safebrowsing lookup API will identify only Malware links as
'Unsafe' but not all deceptive links. However, when i check the same URL on
"https://transparencyreport.google.com/safe-browsing/search;, then it shows
'site is unsafe' what i am actually looking for.

Regards
Sunny

On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:

> Here was the earlier reply to your question
>  >.
>
> Sent from my iPad
>
> -Al-
>
> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
>
> Same question again : Chrome don't open malicious links due to labeling
> them dangerous as per "Safebrowsing". Then why ClamAV is not able to
> identify such malicious links when "Safebrowsing" option is already enabled
> ??
>
> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
> wrote:
>
> Our replies may be getting filtered by your email provider because you
>> included a malicious link in the email chain. :D  I removed the link from
>> this reply.
>>
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>>
>>
>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>>
>>
>> Still no reply on this matter.
>>
>>

-- 
Regards
Sunny
System Engineer
Mob : +91 9711155549
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Sunny Marwah 
I can see below files in /var/lib/clamav/ directory :

main.cvd
bytecode.cvd
safebrowsing.cld
daily.cld
mirrors.dat

But it is 'safebrowsing.cld', not 'safebrowsing.cvd'.

Is it Ok ??



On Tue, Dec 11, 2018 at 1:47 PM Dennis Peterson  wrote:

> In your ClamAV signature folder does there exist a safebrowsing.cvd file?
>
> dp
>
> On 12/10/18 9:46 PM, Sunny Marwah wrote:
> >
> > Same question again : Chrome don't open malicious links due to labeling
> them
> > dangerous as per "Safebrowsing". Then why ClamAV is not able to identify
> such
> > malicious links when "Safebrowsing" option is already enabled ??
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
Regards
Sunny
System Engineer
Mob : +91 9711155549
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Al Varnell 
Here was the earlier reply to your question
>.

Sent from my iPad

-Al-

On Dec 10, 2018, at 21:46, Sunny Marwah mailto:sunnymar...@trepup.com>> wrote:
> Same question again : Chrome don't open malicious links due to labeling them 
> dangerous as per "Safebrowsing". Then why ClamAV is not able to identify such 
> malicious links when "Safebrowsing" option is already enabled ??  
> 
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) > > wrote:
> Our replies may be getting filtered by your email provider because you 
> included a malicious link in the email chain. :D  I removed the link from 
> this reply. 
> 
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah > > wrote:
>> 
>> 
>> Still no reply on this matter. 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Dennis Peterson 

In your ClamAV signature folder does there exist a safebrowsing.cvd file?

dp

On 12/10/18 9:46 PM, Sunny Marwah wrote:


Same question again : Chrome don't open malicious links due to labeling them 
dangerous as per "Safebrowsing". Then why ClamAV is not able to identify such 
malicious links when "Safebrowsing" option is already enabled ??


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-10 Thread Sunny Marwah 
Same question again : Chrome don't open malicious links due to labeling
them dangerous as per "Safebrowsing". Then why ClamAV is not able to
identify such malicious links when "Safebrowsing" option is already enabled
??

On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
wrote:

> Our replies may be getting filtered by your email provider because you
> included a malicious link in the email chain. :D  I removed the link from
> this reply.
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>
>
> Still no reply on this matter.
>
> On Fri, Dec 7, 2018 at 6:17 PM Sunny Marwah 
> wrote:
>
>> Hi Al Varnell,
>>
>> Below is the URL which was mentioned in HTML template :
>>
>>
>> Chrome don't open it due to labeling it dangerous in as per
>> "Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing"
>> option is already enabled ??
>>
>> Looking to hear from you on this.
>>
>> Regards
>> Sunny
>>
>> On Fri, Dec 7, 2018 at 5:50 PM Al Varnell  wrote:
>>
>>> If you won't provide the URL to the rest of us users, then we can't help
>>> you. You'll have to wait to see if the development team gets back to you.
>>>
>>> -Al-
>>>
>>> On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
>>>
>>> Hi Al Varnell,
>>>
>>> I have already gone through
>>> https://www.clamav.net/documents/safebrowsing.
>>>
>>> That URL i have already shared with one of ClamAV development team
>>> members
>>>
>>> I did not understand your point what you said --- "You will probably
>>> need to obfuscate it in order to get it through the mail system, something
>>> like httx://".
>>>
>>> My purpose behind using ClamAV is to scan Linux server and plus HTML
>>> templates which we regularly receive on server.
>>>
>>> And the reason behind using "Safebrowing" option is to detect deceptive,
>>> Phishing URL's in HTML templates in the same way as Chrome warns us before
>>> opening such URL's. I want ClamAV to detect such files as "Infected" which
>>> contain deceptive, Phishing URL's.
>>>
>>> Waiting for your quick and needful response.
>>>
>>> Regards
>>> Sunny
>>>
>>> On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  wrote:
>>>
 Have your read the explanation at <
 https://www.clamav.net/documents/safebrowsing>?

 Please provide the phishing URL that is failing. You will probably need
 to obfuscate it in order to get it through the mail system, something like
 httx://

 -Al-

 On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:

 Hello Micah & Team,

 Have not received any response on my last email.

 Also, i have enabled Safebrowsing option in freshclam.conf as suggested
 by you.

 Still i can see that ClamAV is not working properly. There is one file
 placed on server and there is one phishing URL available in that file. That
 URL is so deceptive that Chrome is not letting us open that URL due to
 labeling it as "Deceptive" URL.

 Why ClamAV is still not able to find that file as "Infected" in
 scanning even after enabling "Safebrowsing" option ??

 Waiting for your quick and needful response.

 Regards
 Sunny

 On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
 wrote:

> Hi Micah,
>
> Thanks for letting me know about enabling SafeBrowsing CVD option in
> ClamAV.
>
> Google safe browsing put a website in 3 categories mentioned below :
> 1 Secure
> 2 Info or Not secure
> 3 Not secure or Dangerous
>
> Curious to know how ClamAV will categorize the HTML file. Let's say,
> if any "Note secure or Dangerous" URL is found, will ClamAV will show it 
> as
> infected file in scanning summary ? If this is the case, i guess in case
> "Secure" URL is found, it will show as OK. And what if URL is found as
> "Info or Not secure" ?
>
> Regards
> Sunny
>
>
> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <
> micas...@cisco.com> wrote:
>
>> It may be worth mentioning that in addition to the [optional]
>> SafeBrowsing CVD that you can choose to include, ClamAV has just started
>> including PhishTank signatures late last month.
>>
>> For those who curious, see https://lists.gt.net/clamav/virusdb/.
>> PhishTank signatures are prefixed with Phishtank.Phishing.
>>
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>>
>>
>> On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:
>>
>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way
>> to dynamic (blacklisted one day and removed the next). ClamAV does 
>> malware
>> detection over the long haul and trying to keep up with fraudulent web
>> sites would be a full time job and better done by other means (e.g. 
>> Google
>> Safe Browsing).
>>
>> -Al-
>>
>> On Wed,

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-08 Thread Micah Snyder (micasnyd) 
Our replies may be getting filtered by your email provider because you included 
a malicious link in the email chain. :D  I removed the link from this reply.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 8, 2018, at 9:17 AM, Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:


Still no reply on this matter.

On Fri, Dec 7, 2018 at 6:17 PM Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:
Hi Al Varnell,

Below is the URL which was mentioned in HTML template :


Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". 
Then why ClamAV is not able to identify when "Safebrowsing" option is already 
enabled ??

Looking to hear from you on this.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:50 PM Al Varnell 
mailto:alvarn...@mac.com>> wrote:
If you won't provide the URL to the rest of us users, then we can't help you. 
You'll have to wait to see if the development team gets back to you.

-Al-

On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need to 
obfuscate it in order to get it through the mail system, something like 
httx://".

My purpose behind using ClamAV is to scan Linux server and plus HTML templates 
which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive, 
Phishing URL's in HTML templates in the same way as Chrome warns us before 
opening such URL's. I want ClamAV to detect such files as "Infected" which 
contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:22 PM Al Varnell 
mailto:alvarn...@mac.com>> wrote:
Have your read the explanation at 
?

Please provide the phishing URL that is failing. You will probably need to 
obfuscate it in order to get it through the mail system, something like 
httx://

-Al-

On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.

Still i can see that ClamAV is not working properly. There is one file placed 
on server and there is one phishing URL available in that file. That URL is so 
deceptive that Chrome is not letting us open that URL due to labeling it as 
"Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning even 
after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:
Hi Micah,

Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.

Google safe browsing put a website in 3 categories mentioned below :
1 Secure
2 Info or Not secure
3 Not secure or Dangerous

Curious to know how ClamAV will categorize the HTML file. Let's say, if any 
"Note secure or Dangerous" URL is found, will ClamAV will show it as infected 
file in scanning summary ? If this is the case, i guess in case "Secure" URL is 
found, it will show as OK. And what if URL is found as "Info or Not secure" ?

Regards
Sunny


On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) 
mailto:micas...@cisco.com>> wrote:
It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD 
that you can choose to include, ClamAV has just started including PhishTank 
signatures late last month.

For those who curious, see https://lists.gt.net/clamav/virusdb/.   PhishTank 
signatures are prefixed with Phishtank.Phishing.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 6, 2018, at 3:27 AM, Al Varnell 
mailto:alvarn...@mac.com>> wrote:

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
dynamic (blacklisted one day and removed the next). ClamAV does malware 
detection over the long haul and trying to keep up with fraudulent web sites 
would be a full time job and better done by other means (e.g. Google Safe 
Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that 
template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such 
templates as infected and sometimes, it does not detect them as infected. And 
the URL's i am talking about, are so deceptive that even Google chrome browser 
don't let us open these URL's and show us clear warning as "Dangerous" about 
deceptive website.

Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-08 Thread Sunny Marwah 
Still no reply on this matter.

On Fri, Dec 7, 2018 at 6:17 PM Sunny Marwah  wrote:

> Hi Al Varnell,
>
> Below is the URL which was mentioned in HTML template :
>
> https://gokdenizhealthtourism.com/js/logo2.gif
>
> Chrome don't open it due to labeling it dangerous in as per
> "Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing"
> option is already enabled ??
>
> Looking to hear from you on this.
>
> Regards
> Sunny
>
> On Fri, Dec 7, 2018 at 5:50 PM Al Varnell  wrote:
>
>> If you won't provide the URL to the rest of us users, then we can't help
>> you. You'll have to wait to see if the development team gets back to you.
>>
>> -Al-
>>
>> On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
>>
>> Hi Al Varnell,
>>
>> I have already gone through https://www.clamav.net/documents/safebrowsing
>> .
>>
>> That URL i have already shared with one of ClamAV development team members
>>
>> I did not understand your point what you said --- "You will probably need
>> to obfuscate it in order to get it through the mail system, something like
>> httx://".
>>
>> My purpose behind using ClamAV is to scan Linux server and plus HTML
>> templates which we regularly receive on server.
>>
>> And the reason behind using "Safebrowing" option is to detect deceptive,
>> Phishing URL's in HTML templates in the same way as Chrome warns us before
>> opening such URL's. I want ClamAV to detect such files as "Infected" which
>> contain deceptive, Phishing URL's.
>>
>> Waiting for your quick and needful response.
>>
>> Regards
>> Sunny
>>
>> On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  wrote:
>>
>>> Have your read the explanation at <
>>> https://www.clamav.net/documents/safebrowsing>?
>>>
>>> Please provide the phishing URL that is failing. You will probably need
>>> to obfuscate it in order to get it through the mail system, something like
>>> httx://
>>>
>>> -Al-
>>>
>>> On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
>>>
>>> Hello Micah & Team,
>>>
>>> Have not received any response on my last email.
>>>
>>> Also, i have enabled Safebrowsing option in freshclam.conf as suggested
>>> by you.
>>>
>>> Still i can see that ClamAV is not working properly. There is one file
>>> placed on server and there is one phishing URL available in that file. That
>>> URL is so deceptive that Chrome is not letting us open that URL due to
>>> labeling it as "Deceptive" URL.
>>>
>>> Why ClamAV is still not able to find that file as "Infected" in scanning
>>> even after enabling "Safebrowsing" option ??
>>>
>>> Waiting for your quick and needful response.
>>>
>>> Regards
>>> Sunny
>>>
>>> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
>>> wrote:
>>>
 Hi Micah,

 Thanks for letting me know about enabling SafeBrowsing CVD option in
 ClamAV.

 Google safe browsing put a website in 3 categories mentioned below :
 1 Secure
 2 Info or Not secure
 3 Not secure or Dangerous

 Curious to know how ClamAV will categorize the HTML file. Let's say, if
 any "Note secure or Dangerous" URL is found, will ClamAV will show it as
 infected file in scanning summary ? If this is the case, i guess in case
 "Secure" URL is found, it will show as OK. And what if URL is found as
 "Info or Not secure" ?

 Regards
 Sunny


 On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <
 micas...@cisco.com> wrote:

> It may be worth mentioning that in addition to the [optional]
> SafeBrowsing CVD that you can choose to include, ClamAV has just started
> including PhishTank signatures late last month.
>
> For those who curious, see https://lists.gt.net/clamav/virusdb/.
> PhishTank signatures are prefixed with Phishtank.Phishing.
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:
>
> Frankly, I'm surprised that ClamAV finds any such URL's. They are way
> to dynamic (blacklisted one day and removed the next). ClamAV does malware
> detection over the long haul and trying to keep up with fraudulent web
> sites would be a full time job and better done by other means (e.g. Google
> Safe Browsing).
>
> -Al-
>
> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>
> Hello Team,
>
> We are using clamav-0.100.2 to scan few HTML email templates.
>
> Sometimes, there are deceptive URL's mentioned in those templates and
> that template should be detected as infected via ClamAV scan process.
>
> I can see weird output of ClamAV scan process. Sometimes it detect
> such templates as infected and sometimes, it does not detect them as
> infected. And the URL's i am talking about, are so deceptive that even
> Google chrome browser don't let us open these URL's and show us clear
> warning as "Dangerous" about deceptive website.
>
> Can you put your

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Al Varnell 
Sorry, it appears I was looking in the wrong place. I now believe that ScanMail 
defaults to "Yes".

Sent from my iPad

-Al-

On Dec 7, 2018, at 16:39, Al Varnell wrote:
> Do you have ScanMail enabled? It defaults to not enabled.
> 
> Sent from my iPad
> 
> -Al-
> 
>> On Dec 7, 2018, at 04:47, Sunny Marwah  wrote:
>> 
>> Hi Al Varnell,
>> 
>> Below is the URL which was mentioned in HTML template :
>> 
>> https://gokdenizhealthtourism.com/js/logo2.gif
>> 
>> Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". 
>> Then why ClamAV is not able to identify when "Safebrowsing" option is 
>> already enabled ??
>> 
>> Looking to hear from you on this.
>> 
>> Regards
>> Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Al Varnell 
Do you have ScanMail enabled? It defaults to not enabled.

Sent from my iPad

-Al-

> On Dec 7, 2018, at 04:47, Sunny Marwah  wrote:
> 
> Hi Al Varnell,
> 
> Below is the URL which was mentioned in HTML template :
> 
> https://gokdenizhealthtourism.com/js/logo2.gif
> 
> Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". 
> Then why ClamAV is not able to identify when "Safebrowsing" option is already 
> enabled ??
> 
> Looking to hear from you on this.
> 
> Regards
> Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Micah Snyder (micasnyd) 
In my own testing, it detected this link just fine.

Steps to reproduce:
View the raw source of this email and save it to a file.
Scan the file.

I will note that I did some additional testing. When placing the URL (no link, 
just raw text URL) in an email, ClamAV did not detect it.

Truthfully I don't have as much experience with ClamAV's phishing and 
safebrowsing features as I'd like. I'm not aware if our HTML scanner will do 
the same phish-checks as the Mail parser does. That will take a little more 
investigation and a little more time that I don't have at the moment.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 7, 2018, at 7:47 AM, Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:

Hi Al Varnell,

Below is the URL which was mentioned in HTML template :

https://gokdenizhealthtourism.com/js/logo2.gif

Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". 
Then why ClamAV is not able to identify when "Safebrowsing" option is already 
enabled ??

Looking to hear from you on this.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:50 PM Al Varnell 
mailto:alvarn...@mac.com>> wrote:
If you won't provide the URL to the rest of us users, then we can't help you. 
You'll have to wait to see if the development team gets back to you.

-Al-

On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need to 
obfuscate it in order to get it through the mail system, something like 
httx://".

My purpose behind using ClamAV is to scan Linux server and plus HTML templates 
which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive, 
Phishing URL's in HTML templates in the same way as Chrome warns us before 
opening such URL's. I want ClamAV to detect such files as "Infected" which 
contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:22 PM Al Varnell 
mailto:alvarn...@mac.com>> wrote:
Have your read the explanation at 
?

Please provide the phishing URL that is failing. You will probably need to 
obfuscate it in order to get it through the mail system, something like 
httx://

-Al-

On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.

Still i can see that ClamAV is not working properly. There is one file placed 
on server and there is one phishing URL available in that file. That URL is so 
deceptive that Chrome is not letting us open that URL due to labeling it as 
"Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning even 
after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:
Hi Micah,

Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.

Google safe browsing put a website in 3 categories mentioned below :
1 Secure
2 Info or Not secure
3 Not secure or Dangerous

Curious to know how ClamAV will categorize the HTML file. Let's say, if any 
"Note secure or Dangerous" URL is found, will ClamAV will show it as infected 
file in scanning summary ? If this is the case, i guess in case "Secure" URL is 
found, it will show as OK. And what if URL is found as "Info or Not secure" ?

Regards
Sunny


On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) 
mailto:micas...@cisco.com>> wrote:
It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD 
that you can choose to include, ClamAV has just started including PhishTank 
signatures late last month.

For those who curious, see https://lists.gt.net/clamav/virusdb/.   PhishTank 
signatures are prefixed with Phishtank.Phishing.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 6, 2018, at 3:27 AM, Al Varnell 
mailto:alvarn...@mac.com>> wrote:

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
dynamic (blacklisted one day and removed the next). ClamAV does malware 
detection over the long haul and trying to keep up with fraudulent web sites 
would be a full time job and better done by other means (e.g. Google Safe 
Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that 
template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such 
templates as infected and sometimes, it does not detect them as

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Sunny Marwah 
Hi Al Varnell,

Below is the URL which was mentioned in HTML template :

https://gokdenizhealthtourism.com/js/logo2.gif

Chrome don't open it due to labeling it dangerous in as per "Safebrowsing".
Then why ClamAV is not able to identify when "Safebrowsing" option is
already enabled ??

Looking to hear from you on this.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:50 PM Al Varnell  wrote:

> If you won't provide the URL to the rest of us users, then we can't help
> you. You'll have to wait to see if the development team gets back to you.
>
> -Al-
>
> On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
>
> Hi Al Varnell,
>
> I have already gone through https://www.clamav.net/documents/safebrowsing.
>
> That URL i have already shared with one of ClamAV development team members
>
> I did not understand your point what you said --- "You will probably need
> to obfuscate it in order to get it through the mail system, something like
> httx://".
>
> My purpose behind using ClamAV is to scan Linux server and plus HTML
> templates which we regularly receive on server.
>
> And the reason behind using "Safebrowing" option is to detect deceptive,
> Phishing URL's in HTML templates in the same way as Chrome warns us before
> opening such URL's. I want ClamAV to detect such files as "Infected" which
> contain deceptive, Phishing URL's.
>
> Waiting for your quick and needful response.
>
> Regards
> Sunny
>
> On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  wrote:
>
>> Have your read the explanation at <
>> https://www.clamav.net/documents/safebrowsing>?
>>
>> Please provide the phishing URL that is failing. You will probably need
>> to obfuscate it in order to get it through the mail system, something like
>> httx://
>>
>> -Al-
>>
>> On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
>>
>> Hello Micah & Team,
>>
>> Have not received any response on my last email.
>>
>> Also, i have enabled Safebrowsing option in freshclam.conf as suggested
>> by you.
>>
>> Still i can see that ClamAV is not working properly. There is one file
>> placed on server and there is one phishing URL available in that file. That
>> URL is so deceptive that Chrome is not letting us open that URL due to
>> labeling it as "Deceptive" URL.
>>
>> Why ClamAV is still not able to find that file as "Infected" in scanning
>> even after enabling "Safebrowsing" option ??
>>
>> Waiting for your quick and needful response.
>>
>> Regards
>> Sunny
>>
>> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
>> wrote:
>>
>>> Hi Micah,
>>>
>>> Thanks for letting me know about enabling SafeBrowsing CVD option in
>>> ClamAV.
>>>
>>> Google safe browsing put a website in 3 categories mentioned below :
>>> 1 Secure
>>> 2 Info or Not secure
>>> 3 Not secure or Dangerous
>>>
>>> Curious to know how ClamAV will categorize the HTML file. Let's say, if
>>> any "Note secure or Dangerous" URL is found, will ClamAV will show it as
>>> infected file in scanning summary ? If this is the case, i guess in case
>>> "Secure" URL is found, it will show as OK. And what if URL is found as
>>> "Info or Not secure" ?
>>>
>>> Regards
>>> Sunny
>>>
>>>
>>> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <
>>> micas...@cisco.com> wrote:
>>>
 It may be worth mentioning that in addition to the [optional]
 SafeBrowsing CVD that you can choose to include, ClamAV has just started
 including PhishTank signatures late last month.

 For those who curious, see https://lists.gt.net/clamav/virusdb/.
 PhishTank signatures are prefixed with Phishtank.Phishing.


 Micah Snyder
 ClamAV Development
 Talos
 Cisco Systems, Inc.


 On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:

 Frankly, I'm surprised that ClamAV finds any such URL's. They are way
 to dynamic (blacklisted one day and removed the next). ClamAV does malware
 detection over the long haul and trying to keep up with fraudulent web
 sites would be a full time job and better done by other means (e.g. Google
 Safe Browsing).

 -Al-

 On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:

 Hello Team,

 We are using clamav-0.100.2 to scan few HTML email templates.

 Sometimes, there are deceptive URL's mentioned in those templates and
 that template should be detected as infected via ClamAV scan process.

 I can see weird output of ClamAV scan process. Sometimes it detect such
 templates as infected and sometimes, it does not detect them as infected.
 And the URL's i am talking about, are so deceptive that even Google chrome
 browser don't let us open these URL's and show us clear warning as
 "Dangerous" about deceptive website.

 Can you put your views behind such unpredictable behavior ?

 If you want then i can report such URL's on your malware link for
 reporting.

 Regards
 Sunny

 ___
 clamav-users mailing

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Al Varnell 
If you won't provide the URL to the rest of us users, then we can't help you. 
You'll have to wait to see if the development team gets back to you.

-Al-

On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
> Hi Al Varnell,
> 
> I have already gone through https://www.clamav.net/documents/safebrowsing 
> .
> 
> That URL i have already shared with one of ClamAV development team members
> 
> I did not understand your point what you said --- "You will probably need to 
> obfuscate it in order to get it through the mail system, something like 
> httx://".
> 
> My purpose behind using ClamAV is to scan Linux server and plus HTML 
> templates which we regularly receive on server. 
> 
> And the reason behind using "Safebrowing" option is to detect deceptive, 
> Phishing URL's in HTML templates in the same way as Chrome warns us before 
> opening such URL's. I want ClamAV to detect such files as "Infected" which 
> contain deceptive, Phishing URL's.
> 
> Waiting for your quick and needful response. 
> 
> Regards
> Sunny
> 
> On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  > wrote:
> Have your read the explanation at 
>  >?
> 
> Please provide the phishing URL that is failing. You will probably need to 
> obfuscate it in order to get it through the mail system, something like 
> httx://
> 
> -Al-
> 
> On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
>> Hello Micah & Team,
>> 
>> Have not received any response on my last email.
>> 
>> Also, i have enabled Safebrowsing option in freshclam.conf as suggested by 
>> you.
>> 
>> Still i can see that ClamAV is not working properly. There is one file 
>> placed on server and there is one phishing URL available in that file. That 
>> URL is so deceptive that Chrome is not letting us open that URL due to 
>> labeling it as "Deceptive" URL.
>> 
>> Why ClamAV is still not able to find that file as "Infected" in scanning 
>> even after enabling "Safebrowsing" option ??
>> 
>> Waiting for your quick and needful response.
>> 
>> Regards
>> Sunny
>> 
>> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah > > wrote:
>> Hi Micah,
>> 
>> Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV. 
>> 
>> Google safe browsing put a website in 3 categories mentioned below : 
>> 1 Secure
>> 2 Info or Not secure
>> 3 Not secure or Dangerous
>> 
>> Curious to know how ClamAV will categorize the HTML file. Let's say, if any 
>> "Note secure or Dangerous" URL is found, will ClamAV will show it as 
>> infected file in scanning summary ? If this is the case, i guess in case 
>> "Secure" URL is found, it will show as OK. And what if URL is found as "Info 
>> or Not secure" ?
>> 
>> Regards
>> Sunny
>> 
>> 
>> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) > > wrote:
>> It may be worth mentioning that in addition to the [optional] SafeBrowsing 
>> CVD that you can choose to include, ClamAV has just started including 
>> PhishTank signatures late last month.
>> 
>> For those who curious, see https://lists.gt.net/clamav/virusdb/ 
>> .   PhishTank signatures are prefixed 
>> with Phishtank.Phishing.
>> 
>>  
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> 
>> 
>>> On Dec 6, 2018, at 3:27 AM, Al Varnell >> > wrote:
>>> 
>>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
>>> dynamic (blacklisted one day and removed the next). ClamAV does malware 
>>> detection over the long haul and trying to keep up with fraudulent web 
>>> sites would be a full time job and better done by other means (e.g. Google 
>>> Safe Browsing).
>>> 
>>> -Al-
>>> 
>>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
 Hello Team,
 
 We are using clamav-0.100.2 to scan few HTML email templates.
 
 Sometimes, there are deceptive URL's mentioned in those templates and that 
 template should be detected as infected via ClamAV scan process.
 
 I can see weird output of ClamAV scan process. Sometimes it detect such 
 templates as infected and sometimes, it does not detect them as infected. 
 And the URL's i am talking about, are so deceptive that even Google chrome 
 browser don't let us open these URL's and show us clear warning as 
 "Dangerous" about deceptive website. 
 
 Can you put your views behind such unpredictable behavior ? 
 
 If you want then i can report such URL's on your malware link for 
 reporting.
 
 Regards
 Sunny
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net 
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
>>>

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Sunny Marwah 
Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need
to obfuscate it in order to get it through the mail system, something like
httx://".

My purpose behind using ClamAV is to scan Linux server and plus HTML
templates which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive,
Phishing URL's in HTML templates in the same way as Chrome warns us before
opening such URL's. I want ClamAV to detect such files as "Infected" which
contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  wrote:

> Have your read the explanation at <
> https://www.clamav.net/documents/safebrowsing>?
>
> Please provide the phishing URL that is failing. You will probably need to
> obfuscate it in order to get it through the mail system, something like
> httx://
>
> -Al-
>
> On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
>
> Hello Micah & Team,
>
> Have not received any response on my last email.
>
> Also, i have enabled Safebrowsing option in freshclam.conf as suggested by
> you.
>
> Still i can see that ClamAV is not working properly. There is one file
> placed on server and there is one phishing URL available in that file. That
> URL is so deceptive that Chrome is not letting us open that URL due to
> labeling it as "Deceptive" URL.
>
> Why ClamAV is still not able to find that file as "Infected" in scanning
> even after enabling "Safebrowsing" option ??
>
> Waiting for your quick and needful response.
>
> Regards
> Sunny
>
> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
> wrote:
>
>> Hi Micah,
>>
>> Thanks for letting me know about enabling SafeBrowsing CVD option in
>> ClamAV.
>>
>> Google safe browsing put a website in 3 categories mentioned below :
>> 1 Secure
>> 2 Info or Not secure
>> 3 Not secure or Dangerous
>>
>> Curious to know how ClamAV will categorize the HTML file. Let's say, if
>> any "Note secure or Dangerous" URL is found, will ClamAV will show it as
>> infected file in scanning summary ? If this is the case, i guess in case
>> "Secure" URL is found, it will show as OK. And what if URL is found as
>> "Info or Not secure" ?
>>
>> Regards
>> Sunny
>>
>>
>> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <
>> micas...@cisco.com> wrote:
>>
>>> It may be worth mentioning that in addition to the [optional]
>>> SafeBrowsing CVD that you can choose to include, ClamAV has just started
>>> including PhishTank signatures late last month.
>>>
>>> For those who curious, see https://lists.gt.net/clamav/virusdb/.
>>> PhishTank signatures are prefixed with Phishtank.Phishing.
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>>
>>>
>>> On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:
>>>
>>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
>>> dynamic (blacklisted one day and removed the next). ClamAV does malware
>>> detection over the long haul and trying to keep up with fraudulent web
>>> sites would be a full time job and better done by other means (e.g. Google
>>> Safe Browsing).
>>>
>>> -Al-
>>>
>>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>>>
>>> Hello Team,
>>>
>>> We are using clamav-0.100.2 to scan few HTML email templates.
>>>
>>> Sometimes, there are deceptive URL's mentioned in those templates and
>>> that template should be detected as infected via ClamAV scan process.
>>>
>>> I can see weird output of ClamAV scan process. Sometimes it detect such
>>> templates as infected and sometimes, it does not detect them as infected.
>>> And the URL's i am talking about, are so deceptive that even Google chrome
>>> browser don't let us open these URL's and show us clear warning as
>>> "Dangerous" about deceptive website.
>>>
>>> Can you put your views behind such unpredictable behavior ?
>>>
>>> If you want then i can report such URL's on your malware link for
>>> reporting.
>>>
>>> Regards
>>> Sunny
>>>
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>>
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>>
>> --
>> Regards
>> Sunny
>> System Engineer
>> Mob : +91 9711155549
>>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
>

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Al Varnell 
Have your read the explanation at 
>?

Please provide the phishing URL that is failing. You will probably need to 
obfuscate it in order to get it through the mail system, something like 
httx://

-Al-

On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
> Hello Micah & Team,
> 
> Have not received any response on my last email.
> 
> Also, i have enabled Safebrowsing option in freshclam.conf as suggested by 
> you.
> 
> Still i can see that ClamAV is not working properly. There is one file placed 
> on server and there is one phishing URL available in that file. That URL is 
> so deceptive that Chrome is not letting us open that URL due to labeling it 
> as "Deceptive" URL.
> 
> Why ClamAV is still not able to find that file as "Infected" in scanning even 
> after enabling "Safebrowsing" option ??
> 
> Waiting for your quick and needful response.
> 
> Regards
> Sunny
> 
> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah  > wrote:
> Hi Micah,
> 
> Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV. 
> 
> Google safe browsing put a website in 3 categories mentioned below : 
> 1 Secure
> 2 Info or Not secure
> 3 Not secure or Dangerous
> 
> Curious to know how ClamAV will categorize the HTML file. Let's say, if any 
> "Note secure or Dangerous" URL is found, will ClamAV will show it as infected 
> file in scanning summary ? If this is the case, i guess in case "Secure" URL 
> is found, it will show as OK. And what if URL is found as "Info or Not 
> secure" ?
> 
> Regards
> Sunny
> 
> 
> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd)  > wrote:
> It may be worth mentioning that in addition to the [optional] SafeBrowsing 
> CVD that you can choose to include, ClamAV has just started including 
> PhishTank signatures late last month.
> 
> For those who curious, see https://lists.gt.net/clamav/virusdb/ 
> .   PhishTank signatures are prefixed 
> with Phishtank.Phishing.
> 
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
>> On Dec 6, 2018, at 3:27 AM, Al Varnell > > wrote:
>> 
>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
>> dynamic (blacklisted one day and removed the next). ClamAV does malware 
>> detection over the long haul and trying to keep up with fraudulent web sites 
>> would be a full time job and better done by other means (e.g. Google Safe 
>> Browsing).
>> 
>> -Al-
>> 
>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>>> Hello Team,
>>> 
>>> We are using clamav-0.100.2 to scan few HTML email templates.
>>> 
>>> Sometimes, there are deceptive URL's mentioned in those templates and that 
>>> template should be detected as infected via ClamAV scan process.
>>> 
>>> I can see weird output of ClamAV scan process. Sometimes it detect such 
>>> templates as infected and sometimes, it does not detect them as infected. 
>>> And the URL's i am talking about, are so deceptive that even Google chrome 
>>> browser don't let us open these URL's and show us clear warning as 
>>> "Dangerous" about deceptive website. 
>>> 
>>> Can you put your views behind such unpredictable behavior ? 
>>> 
>>> If you want then i can report such URL's on your malware link for reporting.
>>> 
>>> Regards
>>> Sunny
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
>> 
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> 
>> 
>> http://www.clamav.net/contact.html#ml 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
> 
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml 
> 
> 
> -- 
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549

-Al-
-- 
Al Varnell
Mountain View, CA





___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Sunny Marwah 
Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by
you.

Still i can see that ClamAV is not working properly. There is one file
placed on server and there is one phishing URL available in that file. That
URL is so deceptive that Chrome is not letting us open that URL due to
labeling it as "Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning
even after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah  wrote:

> Hi Micah,
>
> Thanks for letting me know about enabling SafeBrowsing CVD option in
> ClamAV.
>
> Google safe browsing put a website in 3 categories mentioned below :
> 1 Secure
> 2 Info or Not secure
> 3 Not secure or Dangerous
>
> Curious to know how ClamAV will categorize the HTML file. Let's say, if
> any "Note secure or Dangerous" URL is found, will ClamAV will show it as
> infected file in scanning summary ? If this is the case, i guess in case
> "Secure" URL is found, it will show as OK. And what if URL is found as
> "Info or Not secure" ?
>
> Regards
> Sunny
>
>
> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) 
> wrote:
>
>> It may be worth mentioning that in addition to the [optional]
>> SafeBrowsing CVD that you can choose to include, ClamAV has just started
>> including PhishTank signatures late last month.
>>
>> For those who curious, see https://lists.gt.net/clamav/virusdb/.
>> PhishTank signatures are prefixed with Phishtank.Phishing.
>>
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>>
>>
>> On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:
>>
>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
>> dynamic (blacklisted one day and removed the next). ClamAV does malware
>> detection over the long haul and trying to keep up with fraudulent web
>> sites would be a full time job and better done by other means (e.g. Google
>> Safe Browsing).
>>
>> -Al-
>>
>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>>
>> Hello Team,
>>
>> We are using clamav-0.100.2 to scan few HTML email templates.
>>
>> Sometimes, there are deceptive URL's mentioned in those templates and
>> that template should be detected as infected via ClamAV scan process.
>>
>> I can see weird output of ClamAV scan process. Sometimes it detect such
>> templates as infected and sometimes, it does not detect them as infected.
>> And the URL's i am talking about, are so deceptive that even Google chrome
>> browser don't let us open these URL's and show us clear warning as
>> "Dangerous" about deceptive website.
>>
>> Can you put your views behind such unpredictable behavior ?
>>
>> If you want then i can report such URL's on your malware link for
>> reporting.
>>
>> Regards
>> Sunny
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
> --
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549
>
>

-- 
Regards
Sunny
System Engineer
Mob : +91 9711155549
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-06 Thread Sunny Marwah 
Hi Micah,

Thanks for letting me know about enabling SafeBrowsing CVD option in
ClamAV.

Google safe browsing put a website in 3 categories mentioned below :
1 Secure
2 Info or Not secure
3 Not secure or Dangerous

Curious to know how ClamAV will categorize the HTML file. Let's say, if any
"Note secure or Dangerous" URL is found, will ClamAV will show it as
infected file in scanning summary ? If this is the case, i guess in case
"Secure" URL is found, it will show as OK. And what if URL is found as
"Info or Not secure" ?

Regards
Sunny


On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) 
wrote:

> It may be worth mentioning that in addition to the [optional] SafeBrowsing
> CVD that you can choose to include, ClamAV has just started including
> PhishTank signatures late last month.
>
> For those who curious, see https://lists.gt.net/clamav/virusdb/.
> PhishTank signatures are prefixed with Phishtank.Phishing.
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:
>
> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
> dynamic (blacklisted one day and removed the next). ClamAV does malware
> detection over the long haul and trying to keep up with fraudulent web
> sites would be a full time job and better done by other means (e.g. Google
> Safe Browsing).
>
> -Al-
>
> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>
> Hello Team,
>
> We are using clamav-0.100.2 to scan few HTML email templates.
>
> Sometimes, there are deceptive URL's mentioned in those templates and that
> template should be detected as infected via ClamAV scan process.
>
> I can see weird output of ClamAV scan process. Sometimes it detect such
> templates as infected and sometimes, it does not detect them as infected.
> And the URL's i am talking about, are so deceptive that even Google chrome
> browser don't let us open these URL's and show us clear warning as
> "Dangerous" about deceptive website.
>
> Can you put your views behind such unpredictable behavior ?
>
> If you want then i can report such URL's on your malware link for
> reporting.
>
> Regards
> Sunny
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
Regards
Sunny
System Engineer
Mob : +91 9711155549
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-06 Thread Micah Snyder (micasnyd) 
It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD 
that you can choose to include, ClamAV has just started including PhishTank 
signatures late last month.

For those who curious, see https://lists.gt.net/clamav/virusdb/.   PhishTank 
signatures are prefixed with Phishtank.Phishing.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 6, 2018, at 3:27 AM, Al Varnell 
mailto:alvarn...@mac.com>> wrote:

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
dynamic (blacklisted one day and removed the next). ClamAV does malware 
detection over the long haul and trying to keep up with fraudulent web sites 
would be a full time job and better done by other means (e.g. Google Safe 
Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that 
template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such 
templates as infected and sometimes, it does not detect them as infected. And 
the URL's i am talking about, are so deceptive that even Google chrome browser 
don't let us open these URL's and show us clear warning as "Dangerous" about 
deceptive website.

Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-06 Thread Dennis Peterson 
My most effective blocks are tcpwrappers and DNS-based IP blacklists and URI 
blacklists. Low returns on effort go to pattern matching regular expressions in 
message bodies. It isn't possible to measure the effectiveness of ipset 
blocklists when using NNN.0.0.0/8 IP blocks but there are a lot of them in my 
firewall and hosts.deny files.


dp

On 12/6/18 12:27 AM, Al Varnell wrote:
Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
dynamic (blacklisted one day and removed the next). ClamAV does malware 
detection over the long haul and trying to keep up with fraudulent web sites 
would be a full time job and better done by other means (e.g. Google Safe 
Browsing).


-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:

Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that 
template should be detected as infected via ClamAV scan process.


I can see weird output of ClamAV scan process. Sometimes it detect such 
templates as infected and sometimes, it does not detect them as infected. And 
the URL's i am talking about, are so deceptive that even Google chrome 
browser don't let us open these URL's and show us clear warning as 
"Dangerous" about deceptive website.


Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-06 Thread Al Varnell 
Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
dynamic (blacklisted one day and removed the next). ClamAV does malware 
detection over the long haul and trying to keep up with fraudulent web sites 
would be a full time job and better done by other means (e.g. Google Safe 
Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
> Hello Team,
> 
> We are using clamav-0.100.2 to scan few HTML email templates.
> 
> Sometimes, there are deceptive URL's mentioned in those templates and that 
> template should be detected as infected via ClamAV scan process.
> 
> I can see weird output of ClamAV scan process. Sometimes it detect such 
> templates as infected and sometimes, it does not detect them as infected. And 
> the URL's i am talking about, are so deceptive that even Google chrome 
> browser don't let us open these URL's and show us clear warning as 
> "Dangerous" about deceptive website. 
> 
> Can you put your views behind such unpredictable behavior ? 
> 
> If you want then i can report such URL's on your malware link for reporting.
> 
> Regards
> Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-06 Thread Dennis Peterson 
You should probably look at http://uribl.com/ for this problem. ClamAV is 
targeted toward viruses and malware in email. The uribl process uses DNS just 
like DNS blacklists, is fairly light weight, and well maintained.


dp

On 12/5/18 11:33 PM, Sunny Marwah wrote:

Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that 
template should be detected as infected via ClamAV scan process.


I can see weird output of ClamAV scan process. Sometimes it detect such 
templates as infected and sometimes, it does not detect them as infected. And 
the URL's i am talking about, are so deceptive that even Google chrome browser 
don't let us open these URL's and show us clear warning as "Dangerous" about 
deceptive website.


Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml