Re: Freshclam Safebrowsing enabled for SA
On 6/13/2019 7:58 AM, Brent Clark wrote: > Good day Guys > > Some time has pass, and I was hoping to follow up with the community > if anyone has tested and / or tried Safebrowsing. Or has an opinion on > Safebrowsing. > > I enabled it, and I so far I have not picked up any false positives > for mail. > > What actually reminded me of Safebrowsing, is I am testing Proxmox's > mailgateway solution (i.e. > https://www.proxmox.com/en/proxmox-mail-gateway). and one got my > attention is, SafeBrowsing is on. > > Regards > Brent Clark I'm afraid I haven't had the time I wanted to do on this. Thanks for your feedback though!
Re: Freshclam Safebrowsing enabled for SA
Good day Guys Some time has pass, and I was hoping to follow up with the community if anyone has tested and / or tried Safebrowsing. Or has an opinion on Safebrowsing. I enabled it, and I so far I have not picked up any false positives for mail. What actually reminded me of Safebrowsing, is I am testing Proxmox's mailgateway solution (i.e. https://www.proxmox.com/en/proxmox-mail-gateway). and one got my attention is, SafeBrowsing is on. Regards Brent Clark On 2019/04/24 09:54, Brent Clark wrote: On 2019/04/23 17:07, Kevin A. McGrail wrote: Anyway, I was going to try and run a second daemon or look at hits for Safebrowsing. as a method for scoring, not blocking. The listing and delisting policies are unclear to me and I think there is a good potential for FPs. Regards, KAM Good day Kevin Would you mind sharing your experience and findings with the community? Regards Brent
Re: Freshclam Safebrowsing enabled for SA
Sorry, my mistake.. excuse me! i meant: The difference between both versions is just "time": latest URLs updates take up from hours to some daysto go from the the "good" DB to the public DB Pedro.
Re: Freshclam Safebrowsing enabled for SA
I have played long with this and IMMO do not put your expectations too high... Google has two versions of the SafeBrowsing DB. The public one: the one youcan download with the Google API and used by Clam as stated by Kevin, and a secondone, used by Chrome and some security vendors (i guess by paying). The difference between both versions is just "time": latest URLs updates take up from hours to some daysto go from the public DB to the "good" one. Not happy enough with that, Rob McEwen fears come true... Checks are done by removingthe least significant part of each URLs one by one... so a complet phishing URL willmatch as well as its domain does! There is a perl module (thanks to Julien Sobrier) you can use for a SA plugin...https://metacpan.org/pod/Net::Google::SafeBrowsing4 I have tested it and works ok but is pretty slow since a simple URL generates many querys(becasue it works as Google suggests: removing the least signifcat part and trying again, and again, and...) Ken, Kevin, maybe it would be a good idea to have a SA plugin to use it if we modify the code to check "only"the full URL... Regards, Pedro.
Re: Freshclam Safebrowsing enabled for SA
On 2019/04/23 17:07, Kevin A. McGrail wrote: Anyway, I was going to try and run a second daemon or look at hits for Safebrowsing. as a method for scoring, not blocking. The listing and delisting policies are unclear to me and I think there is a good potential for FPs. Regards, KAM Good day Kevin Would you mind sharing your experience and findings with the community? Regards Brent
Re: Freshclam Safebrowsing enabled for SA
On 23/04/19 17:07, Kevin A. McGrail wrote: On 4/23/2019 6:18 AM, Brent Clark wrote: Just want to pick the communities brain for a second. Does anyone use Mail::SpamAssassin::Plugin::GoogleSafeBrowsing or better enable 'SafeBrowsing Yes' to freshclams configuration file? I see SafeBrowsing is a blacklist service provided by Google that provides lists of URLs for web sites that contain malware or phishing content. What was your experience with mail containing malware or phishing content. Hello, sorry to hijack the thread, but while we are talking about ClamAV signatures, I'd like to point you also to these: https://urlhaus.abuse.ch/api/#clamav It's a very lightweight set of URLs knowing of distributing Emotet. They get hits on my systems while other signatures and AV engines fail, so you may want to give them a try Daniele
Re: Freshclam Safebrowsing enabled for SA
On 4/23/2019 11:07 AM, Kevin A. McGrail wrote: I was going to try and run a second daemon or look at hits for Safebrowsing. as a method for scoring, not blocking. The listing and delisting policies are unclear to me and I think there is a good potential for FPs. Probably a nice scoring option - So like Kevin, I'd caution against using this for blocking or high scoring. Why? Because in recent years there has been an epidemic of the following two things: (1) website compromised - hacker installed malicious content (2) email account on the mail server compromised - spammer is sending email from that server HOWEVER - MOST of the time ONLY 1 of these things happened, NOT both. But the Safebrowsing database is mainly focused on the website being compromised. Therefore, this rule is likely fantastic when it comes to hits on content in the body of the message, particularly URLs linking to malicious content on hijacked websites. But if/when this instead has hits on things like ONLY domain name (in the FROM address or elsewhere) - then it might cause a significant number of FPs if/when it hits stuff like that. I'm not very familiar with how this works when implemented in ClamAv - so, for example, if this only has hits on entire URLs going all the way to the malicious content (not merely referencing the domain or home page) - then my FP concerns are likely overstated and this really isn't going to cause many FPs. So I'm just mentioning this so others will be aware and know what to look for when testing this. -- Rob McEwen
Re: Freshclam Safebrowsing enabled for SA
On 4/23/2019 6:18 AM, Brent Clark wrote: > Just want to pick the communities brain for a second. > > Does anyone use Mail::SpamAssassin::Plugin::GoogleSafeBrowsing or > better enable 'SafeBrowsing Yes' to freshclams configuration file? > > I see SafeBrowsing is a blacklist service provided by Google that > provides lists of URLs for web sites that contain malware or phishing > content. > > What was your experience with mail containing malware or phishing > content. Well, my experience over the past month has been pretty bad. ClamAV lit some signatures for Phishtank and it pretty much killed performance. See the ClamAV mailing list for more info. Additionally, I just on the 18th started looking at this ClamAV feature. For those who aren't aware: ClamAV 0.95 introduced support for Google Safe Browsing database. The Safebrowsing database is packed inside a CVD file and distributed through our mirror network. This feature is disabled by default on all installations and should be enabled with extreme care. All signatures provided by Google Safe Browsing Database will be prefixed with the Safebrowsing tag. If ClamAV reports Safebrowsing. FOUND, it means that the advisory was provided by Google and not by ClamAV Virus database. Please note that such reports DO NOT necessarily mean that the data scanned contains some malware. You should treat such data as a potential risk, that is a suspicious source of malware. If you want to know more about the potentially dangerous data matched by the signature, you should visit http://www.antiphishing.org (for phishing warnings) or http://www.stopbadware.org (for malware warnings). In order to enable this feature, you must add SafeBrowsing Yes to freshclam.conf. There is no option in clamd.conf. If the engine finds Google Safe Browsing files in the database directory, ClamAV will enable safe browsing. To turn it off you need to update freshclam.conf and remove the safebrowsing files from the database directory before restarting clamd. Anyway, I was going to try and run a second daemon or look at hits for Safebrowsing. as a method for scoring, not blocking. The listing and delisting policies are unclear to me and I think there is a good potential for FPs. Regards, KAM
Freshclam Safebrowsing enabled for SA
Good days Guys Just want to pick the communities brain for a second. Does anyone use Mail::SpamAssassin::Plugin::GoogleSafeBrowsing or better enable 'SafeBrowsing Yes' to freshclams configuration file? I see SafeBrowsing is a blacklist service provided by Google that provides lists of URLs for web sites that contain malware or phishing content. What was your experience with mail containing malware or phishing content. Many thanks. Regards Brent
