[clamav-users] Can't detect deceptive URL's as infected !!

Discussion:

Sunny Marwah

2018-12-06 07:33:42 UTC

Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that
template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such
templates as infected and sometimes, it does not detect them as infected.
And the URL's i am talking about, are so deceptive that even Google chrome
browser don't let us open these URL's and show us clear warning as
"Dangerous" about deceptive website.

Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny

Dennis Peterson

2018-12-06 08:21:13 UTC

Permalink

You should probably look at http://uribl.com/ for this problem. ClamAV is
targeted toward viruses and malware in email. The uribl process uses DNS just
like DNS blacklists, is fairly light weight, and well maintained.

dp

Post by Sunny Marwah
Hello Team,
We are using clamav-0.100.2Â to scan few HTML email templates.
Sometimes, there are deceptive URL's mentioned in those templates and that
template should be detected as infected via ClamAV scan process.
I can see weird output of ClamAV scan process. Sometimes it detect such
templates as infected and sometimes, it does not detect them as infected. And
the URL's i am talking about, are so deceptive that even Google chrome browser
don't let us open these URL's and show us clear warning as "Dangerous" about
deceptive website.
Can you put your views behind such unpredictable behavior ?
If you want then i can report such URL's on your malware link for reporting.
Regards
Sunny
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

Al Varnell

2018-12-06 08:27:49 UTC

Permalink

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to dynamic (blacklisted one day and removed the next). ClamAV does malware detection over the long haul and trying to keep up with fraudulent web sites would be a full time job and better done by other means (e.g. Google Safe Browsing).

-Al-

Post by Sunny Marwah
Hello Team,
We are using clamav-0.100.2 to scan few HTML email templates.
Sometimes, there are deceptive URL's mentioned in those templates and that template should be detected as infected via ClamAV scan process.
I can see weird output of ClamAV scan process. Sometimes it detect such templates as infected and sometimes, it does not detect them as infected. And the URL's i am talking about, are so deceptive that even Google chrome browser don't let us open these URL's and show us clear warning as "Dangerous" about deceptive website.
Can you put your views behind such unpredictable behavior ?
If you want then i can report such URL's on your malware link for reporting.
Regards
Sunny

Dennis Peterson

2018-12-06 08:40:01 UTC

Permalink

My most effective blocks are tcpwrappers and DNS-based IP blacklists and URI
blacklists. Low returns on effort go to pattern matching regular expressions in
message bodies. It isn't possible to measure the effectiveness of ipset
blocklists when using NNN.0.0.0/8 IP blocks but there are a lot of them in my
firewall and hosts.deny files.

dp

Post by Al Varnell
Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
dynamic (blacklisted one day and removed the next). ClamAV does malware
detection over the long haul and trying to keep up with fraudulent web sites
would be a full time job and better done by other means (e.g. Google Safe
Browsing).
-Al-

Post by Sunny Marwah
Hello Team,
We are using clamav-0.100.2 to scan few HTML email templates.
Sometimes, there are deceptive URL's mentioned in those templates and that
template should be detected as infected via ClamAV scan process.
I can see weird output of ClamAV scan process. Sometimes it detect such
templates as infected and sometimes, it does not detect them as infected. And
the URL's i am talking about, are so deceptive that even Google chrome
browser don't let us open these URL's and show us clear warning as
"Dangerous" about deceptive website.
Can you put your views behind such unpredictable behavior ?
If you want then i can report such URL's on your malware link for reporting.
Regards
Sunny

_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

Micah Snyder (micasnyd)

2018-12-06 09:49:36 UTC

Permalink

It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD that you can choose to include, ClamAV has just started including PhishTank signatures late last month.

For those who curious, see https://lists.gt.net/clamav/virusdb/. PhishTank signatures are prefixed with Phishtank.Phishing.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Dec 6, 2018, at 3:27 AM, Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to dynamic (blacklisted one day and removed the next). ClamAV does malware detection over the long haul and trying to keep up with fraudulent web sites would be a full time job and better done by other means (e.g. Google Safe Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such templates as infected and sometimes, it does not detect them as infected. And the URL's i am talking about, are so deceptive that even Google chrome browser don't let us open these URL's and show us clear warning as "Dangerous" about deceptive website.

Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Sunny Marwah

2018-12-06 11:11:45 UTC

Permalink

Hi Micah,

Thanks for letting me know about enabling SafeBrowsing CVD option in
ClamAV.

Google safe browsing put a website in 3 categories mentioned below :
1 Secure
2 Info or Not secure
3 Not secure or Dangerous

Curious to know how ClamAV will categorize the HTML file. Let's say, if any
"Note secure or Dangerous" URL is found, will ClamAV will show it as
infected file in scanning summary ? If this is the case, i guess in case
"Secure" URL is found, it will show as OK. And what if URL is found as
"Info or Not secure" ?

Regards
Sunny

Post by Micah Snyder (micasnyd)
It may be worth mentioning that in addition to the [optional] SafeBrowsing
CVD that you can choose to include, ClamAV has just started including
PhishTank signatures late last month.
For those who curious, see https://lists.gt.net/clamav/virusdb/.
PhishTank signatures are prefixed with Phishtank.Phishing.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
dynamic (blacklisted one day and removed the next). ClamAV does malware
detection over the long haul and trying to keep up with fraudulent web
sites would be a full time job and better done by other means (e.g. Google
Safe Browsing).
-Al-
Hello Team,
We are using clamav-0.100.2 to scan few HTML email templates.
Sometimes, there are deceptive URL's mentioned in those templates and that
template should be detected as infected via ClamAV scan process.
I can see weird output of ClamAV scan process. Sometimes it detect such
templates as infected and sometimes, it does not detect them as infected.
And the URL's i am talking about, are so deceptive that even Google chrome
browser don't let us open these URL's and show us clear warning as
"Dangerous" about deceptive website.
Can you put your views behind such unpredictable behavior ?
If you want then i can report such URL's on your malware link for reporting.
Regards
Sunny
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

Sunny Marwah

2018-12-07 11:17:29 UTC

Permalink

Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by
you.

Still i can see that ClamAV is not working properly. There is one file
placed on server and there is one phishing URL available in that file. That
URL is so deceptive that Chrome is not letting us open that URL due to
labeling it as "Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning
even after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

Post by Sunny Marwah
Hi Micah,
Thanks for letting me know about enabling SafeBrowsing CVD option in
ClamAV.
1 Secure
2 Info or Not secure
3 Not secure or Dangerous
Curious to know how ClamAV will categorize the HTML file. Let's say, if
any "Note secure or Dangerous" URL is found, will ClamAV will show it as
infected file in scanning summary ? If this is the case, i guess in case
"Secure" URL is found, it will show as OK. And what if URL is found as
"Info or Not secure" ?
Regards
Sunny

Post by Micah Snyder (micasnyd)
It may be worth mentioning that in addition to the [optional]
SafeBrowsing CVD that you can choose to include, ClamAV has just started
including PhishTank signatures late last month.
For those who curious, see https://lists.gt.net/clamav/virusdb/.
PhishTank signatures are prefixed with Phishtank.Phishing.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
dynamic (blacklisted one day and removed the next). ClamAV does malware
detection over the long haul and trying to keep up with fraudulent web
sites would be a full time job and better done by other means (e.g. Google
Safe Browsing).
-Al-
Hello Team,
We are using clamav-0.100.2 to scan few HTML email templates.
Sometimes, there are deceptive URL's mentioned in those templates and
that template should be detected as infected via ClamAV scan process.
I can see weird output of ClamAV scan process. Sometimes it detect such
templates as infected and sometimes, it does not detect them as infected.
And the URL's i am talking about, are so deceptive that even Google chrome
browser don't let us open these URL's and show us clear warning as
"Dangerous" about deceptive website.
Can you put your views behind such unpredictable behavior ?
If you want then i can report such URL's on your malware link for reporting.
Regards
Sunny
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

Al Varnell

2018-12-07 11:51:56 UTC

Permalink

Have your read the explanation at <https://www.clamav.net/documents/safebrowsing <https://www.clamav.net/documents/safebrowsing>>?

Please provide the phishing URL that is failing. You will probably need to obfuscate it in order to get it through the mail system, something like httx://....

-Al-

Post by Sunny Marwah
Hello Micah & Team,
Have not received any response on my last email.
Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.
Still i can see that ClamAV is not working properly. There is one file placed on server and there is one phishing URL available in that file. That URL is so deceptive that Chrome is not letting us open that URL due to labeling it as "Deceptive" URL.
Why ClamAV is still not able to find that file as "Infected" in scanning even after enabling "Safebrowsing" option ??
Waiting for your quick and needful response.
Regards
Sunny
Hi Micah,
Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.
1 Secure
2 Info or Not secure
3 Not secure or Dangerous
Curious to know how ClamAV will categorize the HTML file. Let's say, if any "Note secure or Dangerous" URL is found, will ClamAV will show it as infected file in scanning summary ? If this is the case, i guess in case "Secure" URL is found, it will show as OK. And what if URL is found as "Info or Not secure" ?
Regards
Sunny
It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD that you can choose to include, ClamAV has just started including PhishTank signatures late last month.
For those who curious, see https://lists.gt.net/clamav/virusdb/ <https://lists.gt.net/clamav/virusdb/>. PhishTank signatures are prefixed with Phishtank.Phishing.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

Post by Al Varnell
Frankly, I'm surprised that ClamAV finds any such URL's. They are way to dynamic (blacklisted one day and removed the next). ClamAV does malware detection over the long haul and trying to keep up with fraudulent web sites would be a full time job and better done by other means (e.g. Google Safe Browsing).
-Al-

_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

-Al-

--
Al Varnell
Mountain View, CA

Sunny Marwah

2018-12-07 12:10:40 UTC

Permalink

Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need
to obfuscate it in order to get it through the mail system, something like
httx://....".

My purpose behind using ClamAV is to scan Linux server and plus HTML
templates which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive,
Phishing URL's in HTML templates in the same way as Chrome warns us before
opening such URL's. I want ClamAV to detect such files as "Infected" which
contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

Post by Al Varnell
Have your read the explanation at <
https://www.clamav.net/documents/safebrowsing>?
Please provide the phishing URL that is failing. You will probably need to
obfuscate it in order to get it through the mail system, something like
httx://....
-Al-
Hello Micah & Team,
Have not received any response on my last email.
Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.
Still i can see that ClamAV is not working properly. There is one file
placed on server and there is one phishing URL available in that file. That
URL is so deceptive that Chrome is not letting us open that URL due to
labeling it as "Deceptive" URL.
Why ClamAV is still not able to find that file as "Infected" in scanning
even after enabling "Safebrowsing" option ??
Waiting for your quick and needful response.
Regards
Sunny

Post by Sunny Marwah
Hi Micah,
Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.
1 Secure
2 Info or Not secure
3 Not secure or Dangerous
Curious to know how ClamAV will categorize the HTML file. Let's say, if
any "Note secure or Dangerous" URL is found, will ClamAV will show it as
infected file in scanning summary ? If this is the case, i guess in case
"Secure" URL is found, it will show as OK. And what if URL is found as
"Info or Not secure" ?
Regards
Sunny
On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <

Post by Micah Snyder (micasnyd)
It may be worth mentioning that in addition to the [optional]
SafeBrowsing CVD that you can choose to include, ClamAV has just started
including PhishTank signatures late last month.
For those who curious, see https://lists.gt.net/clamav/virusdb/.
PhishTank signatures are prefixed with Phishtank.Phishing.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
dynamic (blacklisted one day and removed the next). ClamAV does malware
detection over the long haul and trying to keep up with fraudulent web
sites would be a full time job and better done by other means (e.g. Google
Safe Browsing).
-Al-
Hello Team,
We are using clamav-0.100.2 to scan few HTML email templates.
Sometimes, there are deceptive URL's mentioned in those templates and
that template should be detected as infected via ClamAV scan process.
I can see weird output of ClamAV scan process. Sometimes it detect such
templates as infected and sometimes, it does not detect them as infected.
And the URL's i am talking about, are so deceptive that even Google chrome
browser don't let us open these URL's and show us clear warning as
"Dangerous" about deceptive website.
Can you put your views behind such unpredictable behavior ?
If you want then i can report such URL's on your malware link for reporting.
Regards
Sunny
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

Al Varnell

2018-12-07 12:19:21 UTC

Permalink

If you won't provide the URL to the rest of us users, then we can't help you. You'll have to wait to see if the development team gets back to you.

-Al-

Post by Sunny Marwah
Hi Al Varnell,
I have already gone through https://www.clamav.net/documents/safebrowsing <https://www.clamav.net/documents/safebrowsing>.
That URL i have already shared with one of ClamAV development team members
I did not understand your point what you said --- "You will probably need to obfuscate it in order to get it through the mail system, something like httx://....".
My purpose behind using ClamAV is to scan Linux server and plus HTML templates which we regularly receive on server.
And the reason behind using "Safebrowing" option is to detect deceptive, Phishing URL's in HTML templates in the same way as Chrome warns us before opening such URL's. I want ClamAV to detect such files as "Infected" which contain deceptive, Phishing URL's.
Waiting for your quick and needful response.
Regards
Sunny
Have your read the explanation at <https://www.clamav.net/documents/safebrowsing <https://www.clamav.net/documents/safebrowsing>>?
Please provide the phishing URL that is failing. You will probably need to obfuscate it in order to get it through the mail system, something like httx://....
-Al-

Post by Al Varnell
Frankly, I'm surprised that ClamAV finds any such URL's. They are way to dynamic (blacklisted one day and removed the next). ClamAV does malware detection over the long haul and trying to keep up with fraudulent web sites would be a full time job and better done by other means (e.g. Google Safe Browsing).
-Al-

-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

-Al-

--
Al Varnell
Mountain View, CA

Sunny Marwah

2018-12-07 12:47:15 UTC

Permalink

Hi Al Varnell,

Below is the URL which was mentioned in HTML template :

Loading Image...

Chrome don't open it due to labeling it dangerous in as per "Safebrowsing".
Then why ClamAV is not able to identify when "Safebrowsing" option is
already enabled ??

Looking to hear from you on this.

Regards
Sunny

Post by Al Varnell
If you won't provide the URL to the rest of us users, then we can't help
you. You'll have to wait to see if the development team gets back to you.
-Al-
Hi Al Varnell,
I have already gone through https://www.clamav.net/documents/safebrowsing.
That URL i have already shared with one of ClamAV development team members
I did not understand your point what you said --- "You will probably need
to obfuscate it in order to get it through the mail system, something like
httx://....".
My purpose behind using ClamAV is to scan Linux server and plus HTML
templates which we regularly receive on server.
And the reason behind using "Safebrowing" option is to detect deceptive,
Phishing URL's in HTML templates in the same way as Chrome warns us before
opening such URL's. I want ClamAV to detect such files as "Infected" which
contain deceptive, Phishing URL's.
Waiting for your quick and needful response.
Regards
Sunny

Post by Al Varnell
Have your read the explanation at <
https://www.clamav.net/documents/safebrowsing>?
Please provide the phishing URL that is failing. You will probably need
to obfuscate it in order to get it through the mail system, something like
httx://....
-Al-
Hello Micah & Team,
Have not received any response on my last email.
Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.
Still i can see that ClamAV is not working properly. There is one file
placed on server and there is one phishing URL available in that file. That
URL is so deceptive that Chrome is not letting us open that URL due to
labeling it as "Deceptive" URL.
Why ClamAV is still not able to find that file as "Infected" in scanning
even after enabling "Safebrowsing" option ??
Waiting for your quick and needful response.
Regards
Sunny

Post by Sunny Marwah
Hi Micah,
Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.
1 Secure
2 Info or Not secure
3 Not secure or Dangerous
Curious to know how ClamAV will categorize the HTML file. Let's say, if
any "Note secure or Dangerous" URL is found, will ClamAV will show it as
infected file in scanning summary ? If this is the case, i guess in case
"Secure" URL is found, it will show as OK. And what if URL is found as
"Info or Not secure" ?
Regards
Sunny
On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <

Post by Micah Snyder (micasnyd)
It may be worth mentioning that in addition to the [optional]
SafeBrowsing CVD that you can choose to include, ClamAV has just started
including PhishTank signatures late last month.
For those who curious, see https://lists.gt.net/clamav/virusdb/.
PhishTank signatures are prefixed with Phishtank.Phishing.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
Frankly, I'm surprised that ClamAV finds any such URL's. They are way
to dynamic (blacklisted one day and removed the next). ClamAV does malware
detection over the long haul and trying to keep up with fraudulent web
sites would be a full time job and better done by other means (e.g. Google
Safe Browsing).
-Al-
Hello Team,
We are using clamav-0.100.2 to scan few HTML email templates.
Sometimes, there are deceptive URL's mentioned in those templates and
that template should be detected as infected via ClamAV scan process.
I can see weird output of ClamAV scan process. Sometimes it detect such
templates as infected and sometimes, it does not detect them as infected.
And the URL's i am talking about, are so deceptive that even Google chrome
browser don't let us open these URL's and show us clear warning as
"Dangerous" about deceptive website.
Can you put your views behind such unpredictable behavior ?
If you want then i can report such URL's on your malware link for reporting.
Regards
Sunny
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

Micah Snyder (micasnyd)

2018-12-07 23:22:37 UTC

Permalink

In my own testing, it detected this link just fine.

Steps to reproduce:
View the raw source of this email and save it to a file.
Scan the file.

I will note that I did some additional testing. When placing the URL (no link, just raw text URL) in an email, ClamAV did not detect it.

Truthfully I don't have as much experience with ClamAV's phishing and safebrowsing features as I'd like. I'm not aware if our HTML scanner will do the same phish-checks as the Mail parser does. That will take a little more investigation and a little more time that I don't have at the moment.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Dec 7, 2018, at 7:47 AM, Sunny Marwah <***@trepup.com<mailto:***@trepup.com>> wrote:

Hi Al Varnell,

Below is the URL which was mentioned in HTML template :

https://gokdenizhealthtourism.com/js/logo2.gif

Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing" option is already enabled ??

Looking to hear from you on this.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:50 PM Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:
If you won't provide the URL to the rest of us users, then we can't help you. You'll have to wait to see if the development team gets back to you.

-Al-

On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need to obfuscate it in order to get it through the mail system, something like httx://....".

My purpose behind using ClamAV is to scan Linux server and plus HTML templates which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive, Phishing URL's in HTML templates in the same way as Chrome warns us before opening such URL's. I want ClamAV to detect such files as "Infected" which contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:22 PM Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:
Have your read the explanation at <https://www.clamav.net/documents/safebrowsing>?

Please provide the phishing URL that is failing. You will probably need to obfuscate it in order to get it through the mail system, something like httx://....

-Al-

On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.

Still i can see that ClamAV is not working properly. There is one file placed on server and there is one phishing URL available in that file. That URL is so deceptive that Chrome is not letting us open that URL due to labeling it as "Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning even after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah <***@trepup.com<mailto:***@trepup.com>> wrote:
Hi Micah,

Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.

Google safe browsing put a website in 3 categories mentioned below :
1 Secure
2 Info or Not secure
3 Not secure or Dangerous

Curious to know how ClamAV will categorize the HTML file. Let's say, if any "Note secure or Dangerous" URL is found, will ClamAV will show it as infected file in scanning summary ? If this is the case, i guess in case "Secure" URL is found, it will show as OK. And what if URL is found as "Info or Not secure" ?

Regards
Sunny

On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <***@cisco.com<mailto:***@cisco.com>> wrote:
It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD that you can choose to include, ClamAV has just started including PhishTank signatures late last month.

For those who curious, see https://lists.gt.net/clamav/virusdb/. PhishTank signatures are prefixed with Phishtank.Phishing.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Dec 6, 2018, at 3:27 AM, Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to dynamic (blacklisted one day and removed the next). ClamAV does malware detection over the long haul and trying to keep up with fraudulent web sites would be a full time job and better done by other means (e.g. Google Safe Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such templates as infected and sometimes, it does not detect them as infected. And the URL's i am talking about, are so deceptive that even Google chrome browser don't let us open these URL's and show us clear warning as "Dangerous" about deceptive website.

Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

-Al-
--
Al Varnell
Mountain View, CA

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Al Varnell

2018-12-08 00:39:52 UTC

Permalink

Do you have ScanMail enabled? It defaults to not enabled.

Sent from my iPad

-Al-

Post by Sunny Marwah
Hi Al Varnell,
https://gokdenizhealthtourism.com/js/logo2.gif
Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing" option is already enabled ??
Looking to hear from you on this.
Regards
Sunny

Al Varnell

2018-12-08 02:11:00 UTC

Permalink

Sorry, it appears I was looking in the wrong place. I now believe that ScanMail defaults to "Yes".

Sent from my iPad

-Al-

Post by Al Varnell
Do you have ScanMail enabled? It defaults to not enabled.
Sent from my iPad
-Al-

Sunny Marwah

2018-12-08 14:17:28 UTC

Permalink

Still no reply on this matter.

Post by Sunny Marwah
Hi Al Varnell,
https://gokdenizhealthtourism.com/js/logo2.gif
Chrome don't open it due to labeling it dangerous in as per
"Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing"
option is already enabled ??
Looking to hear from you on this.
Regards
Sunny

Post by Al Varnell
If you won't provide the URL to the rest of us users, then we can't help
you. You'll have to wait to see if the development team gets back to you.
-Al-
Hi Al Varnell,
I have already gone through https://www.clamav.net/documents/safebrowsing
.
That URL i have already shared with one of ClamAV development team members
I did not understand your point what you said --- "You will probably need
to obfuscate it in order to get it through the mail system, something like
httx://....".
My purpose behind using ClamAV is to scan Linux server and plus HTML
templates which we regularly receive on server.
And the reason behind using "Safebrowing" option is to detect deceptive,
Phishing URL's in HTML templates in the same way as Chrome warns us before
opening such URL's. I want ClamAV to detect such files as "Infected" which
contain deceptive, Phishing URL's.
Waiting for your quick and needful response.
Regards
Sunny

Post by Al Varnell
Have your read the explanation at <
https://www.clamav.net/documents/safebrowsing>?
Please provide the phishing URL that is failing. You will probably need
to obfuscate it in order to get it through the mail system, something like
httx://....
-Al-
Hello Micah & Team,
Have not received any response on my last email.
Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.
Still i can see that ClamAV is not working properly. There is one file
placed on server and there is one phishing URL available in that file. That
URL is so deceptive that Chrome is not letting us open that URL due to
labeling it as "Deceptive" URL.
Why ClamAV is still not able to find that file as "Infected" in scanning
even after enabling "Safebrowsing" option ??
Waiting for your quick and needful response.
Regards
Sunny

Post by Sunny Marwah
Hi Micah,
Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.
1 Secure
2 Info or Not secure
3 Not secure or Dangerous
Curious to know how ClamAV will categorize the HTML file. Let's say, if
any "Note secure or Dangerous" URL is found, will ClamAV will show it as
infected file in scanning summary ? If this is the case, i guess in case
"Secure" URL is found, it will show as OK. And what if URL is found as
"Info or Not secure" ?
Regards
Sunny
On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <

Post by Micah Snyder (micasnyd)
It may be worth mentioning that in addition to the [optional]
SafeBrowsing CVD that you can choose to include, ClamAV has just started
including PhishTank signatures late last month.
For those who curious, see https://lists.gt.net/clamav/virusdb/.
PhishTank signatures are prefixed with Phishtank.Phishing.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
Frankly, I'm surprised that ClamAV finds any such URL's. They are way
to dynamic (blacklisted one day and removed the next). ClamAV does malware
detection over the long haul and trying to keep up with fraudulent web
sites would be a full time job and better done by other means (e.g. Google
Safe Browsing).
-Al-
Hello Team,
We are using clamav-0.100.2 to scan few HTML email templates.
Sometimes, there are deceptive URL's mentioned in those templates and
that template should be detected as infected via ClamAV scan process.
I can see weird output of ClamAV scan process. Sometimes it detect
such templates as infected and sometimes, it does not detect them as
infected. And the URL's i am talking about, are so deceptive that even
Google chrome browser don't let us open these URL's and show us clear
warning as "Dangerous" about deceptive website.
Can you put your views behind such unpredictable behavior ?
If you want then i can report such URL's on your malware link for reporting.
Regards
Sunny
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

Micah Snyder (micasnyd)

2018-12-08 15:30:08 UTC

Permalink

Our replies may be getting filtered by your email provider because you included a malicious link in the email chain. :D I removed the link from this reply.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Dec 8, 2018, at 9:17 AM, Sunny Marwah <***@trepup.com<mailto:***@trepup.com>> wrote:

Still no reply on this matter.

On Fri, Dec 7, 2018 at 6:17 PM Sunny Marwah <***@trepup.com<mailto:***@trepup.com>> wrote:
Hi Al Varnell,

Below is the URL which was mentioned in HTML template :

Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing" option is already enabled ??

Looking to hear from you on this.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:50 PM Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:
If you won't provide the URL to the rest of us users, then we can't help you. You'll have to wait to see if the development team gets back to you.

-Al-

On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need to obfuscate it in order to get it through the mail system, something like httx://....".

My purpose behind using ClamAV is to scan Linux server and plus HTML templates which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive, Phishing URL's in HTML templates in the same way as Chrome warns us before opening such URL's. I want ClamAV to detect such files as "Infected" which contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:22 PM Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:
Have your read the explanation at <https://www.clamav.net/documents/safebrowsing>?

Please provide the phishing URL that is failing. You will probably need to obfuscate it in order to get it through the mail system, something like httx://....

-Al-

On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.

Still i can see that ClamAV is not working properly. There is one file placed on server and there is one phishing URL available in that file. That URL is so deceptive that Chrome is not letting us open that URL due to labeling it as "Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning even after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah <***@trepup.com<mailto:***@trepup.com>> wrote:
Hi Micah,

Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.

Google safe browsing put a website in 3 categories mentioned below :
1 Secure
2 Info or Not secure
3 Not secure or Dangerous

Curious to know how ClamAV will categorize the HTML file. Let's say, if any "Note secure or Dangerous" URL is found, will ClamAV will show it as infected file in scanning summary ? If this is the case, i guess in case "Secure" URL is found, it will show as OK. And what if URL is found as "Info or Not secure" ?

Regards
Sunny

On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <***@cisco.com<mailto:***@cisco.com>> wrote:
It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD that you can choose to include, ClamAV has just started including PhishTank signatures late last month.

For those who curious, see https://lists.gt.net/clamav/virusdb/. PhishTank signatures are prefixed with Phishtank.Phishing.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Dec 6, 2018, at 3:27 AM, Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to dynamic (blacklisted one day and removed the next). ClamAV does malware detection over the long haul and trying to keep up with fraudulent web sites would be a full time job and better done by other means (e.g. Google Safe Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such templates as infected and sometimes, it does not detect them as infected. And the URL's i am talking about, are so deceptive that even Google chrome browser don't let us open these URL's and show us clear warning as "Dangerous" about deceptive website.

Can you put your views behind such unpredictable behavior ?

If you want then i can report such URL's on your malware link for reporting.

Regards
Sunny
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

-Al-
--
Al Varnell
Mountain View, CA

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--
Regards
Sunny
System Engineer
Mob : +91 9711155549

--
Regards
Sunny
System Engineer
Mob : +91 9711155549<tel:+91%209711155549>

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Continue reading on narkive:

Search results for '[clamav-users] Can't detect deceptive URL's as infected !!' (Questions and Answers)

replies

Spyware,trojan horses,what r they?

started 2006-06-07 14:57:43 UTC

security

replies

I have run the SpyHunter v 2.9 on my computer..?

started 2007-06-28 12:30:11 UTC

security

replies

Is the babylon.com malware dangerous?