edwin at clamav
Jun 7, 2012, 12:34 PM
Post #4 of 7
On 06/07/2012 09:57 PM, David Raynor wrote:
> The safebrowsing feature of ClamAV uses a separate domain list and
> whitelist from the other signatures. The blacklisted domains are stored in
> .pdb files, and the whitelist is stored in .wdb files.
> These process
> domains from URLs instead of virus signatures, so that's why trying to use
> your local .ign2 whitelist didn't help.
> You'll need both the real URL and the displayed URL from the weblink to
> whitelist a link. Here's an example of a safebrowsing whitelist item. To
> whitelist a link that displays "displayhostname.com" with a real URL target
> of "www.myrealhostname.com", the line will look like this:
> The M is the type flag for simple hostname comparisons. There are other
> types for regular expressions if you need it.
> Replace the hostnames appropriately and add a line like that to your local
> whitelist (.wdb not .ign2) and you should be good to go.
That is correct for the anti-phishing feature, but it won't work
for safebrowsing matches. (whitelist_check never reached, if url_hash_match).
See phishsigs_howto.pdf "GDB format", it describes how to whitelist safebrowsing matches
in a local.gdb.
> Dave R.
> PS: As for Google's Safebrowsing list, they offer a page to check the
> status for any domain. They do have some transparency on why a domain was
> placed on the list, and links for web administrators to seek remediation.
> Dave Raynor
> Senior Research Engineer, VRT
> On Thu, Jun 7, 2012 at 2:26 PM, Alex <mysqlstudent [at] gmail> wrote:
>> How can I determine what domains the pattern
>> contains? I thought it was only a single domain, but it appears to
>> contain numerous?
>> If that's the case, then I'd prefer to not ignore the whole rule, but
>> whitelist one of the domains within the rule. Is that possible?
>> If I were to disable this rule, would adding it as it is displayed
>> above to the ign2 file be the correct way? For some reason that
>> doesn't seem to work here.
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net