Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Identifying safebrowsing domains

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


mysqlstudent at gmail

Jun 7, 2012, 11:26 AM

Post #1 of 7 (839 views)
Permalink
Identifying safebrowsing domains
Hi,

How can I determine what domains the pattern
"Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net"
contains? I thought it was only a single domain, but it appears to
contain numerous?

If that's the case, then I'd prefer to not ignore the whole rule, but
whitelist one of the domains within the rule. Is that possible?

If I were to disable this rule, would adding it as it is displayed
above to the ign2 file be the correct way? For some reason that
doesn't seem to work here.

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


draynor at sourcefire

Jun 7, 2012, 11:57 AM

Post #2 of 7 (821 views)
Permalink
Re: Identifying safebrowsing domains [In reply to]
The safebrowsing feature of ClamAV uses a separate domain list and
whitelist from the other signatures. The blacklisted domains are stored in
.pdb files, and the whitelist is stored in .wdb files. These process
domains from URLs instead of virus signatures, so that's why trying to use
your local .ign2 whitelist didn't help.

You'll need both the real URL and the displayed URL from the weblink to
whitelist a link. Here's an example of a safebrowsing whitelist item. To
whitelist a link that displays "displayhostname.com" with a real URL target
of "www.myrealhostname.com", the line will look like this:

M:displayhostname.com:www.myrealhostname.com

The M is the type flag for simple hostname comparisons. There are other
types for regular expressions if you need it.

Replace the hostnames appropriately and add a line like that to your local
whitelist (.wdb not .ign2) and you should be good to go.

Dave R.

PS: As for Google's Safebrowsing list, they offer a page to check the
status for any domain. They do have some transparency on why a domain was
placed on the list, and links for web administrators to seek remediation.
http://www.google.com/safebrowsing/diagnostic?site=bestwesternsupply.com

--
Dave Raynor
Senior Research Engineer, VRT


On Thu, Jun 7, 2012 at 2:26 PM, Alex <mysqlstudent [at] gmail> wrote:

> Hi,
>
> How can I determine what domains the pattern
> "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net"
> contains? I thought it was only a single domain, but it appears to
> contain numerous?
>
> If that's the case, then I'd prefer to not ignore the whole rule, but
> whitelist one of the domains within the rule. Is that possible?
>
> If I were to disable this rule, would adding it as it is displayed
> above to the ign2 file be the correct way? For some reason that
> doesn't seem to work here.
>
> Thanks,
> Alex
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mysqlstudent at gmail

Jun 7, 2012, 12:31 PM

Post #3 of 7 (819 views)
Permalink
Re: Identifying safebrowsing domains [In reply to]
Hi,

> The safebrowsing feature of ClamAV uses a separate domain list and
> whitelist from the other signatures. The blacklisted domains are stored in
> .pdb files, and the whitelist is stored in .wdb files. These process
> domains from URLs instead of virus signatures, so that's why trying to use
> your local .ign2 whitelist didn't help.

Ah, thanks. Is this not otherwise documented, or did my search somehow
just not find it? Info on the other types for regular expressions
might be helpful.

> PS: As for Google's Safebrowsing list, they offer a page to check the
> status for any domain. They do have some transparency on why a domain was
> placed on the list, and links for web administrators to seek remediation.
> http://www.google.com/safebrowsing/diagnostic?site=bestwesternsupply.com

It seems to provide conflicting information. It says the site has
distributed malware in the last 90 days, with 06/04/12 being the last
day checked. However, it also says it hasn't hosted malware in the
last 90 days. Am I missing something?

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Jun 7, 2012, 12:34 PM

Post #4 of 7 (825 views)
Permalink
Re: Identifying safebrowsing domains [In reply to]
On 06/07/2012 09:57 PM, David Raynor wrote:
> The safebrowsing feature of ClamAV uses a separate domain list and
> whitelist from the other signatures. The blacklisted domains are stored in
> .pdb files, and the whitelist is stored in .wdb files.
> These process
> domains from URLs instead of virus signatures, so that's why trying to use
> your local .ign2 whitelist didn't help.
>
> You'll need both the real URL and the displayed URL from the weblink to
> whitelist a link. Here's an example of a safebrowsing whitelist item. To
> whitelist a link that displays "displayhostname.com" with a real URL target
> of "www.myrealhostname.com", the line will look like this:
>
> M:displayhostname.com:www.myrealhostname.com
>
> The M is the type flag for simple hostname comparisons. There are other
> types for regular expressions if you need it.
>
> Replace the hostnames appropriately and add a line like that to your local
> whitelist (.wdb not .ign2) and you should be good to go.

That is correct for the anti-phishing feature, but it won't work
for safebrowsing matches. (whitelist_check never reached, if url_hash_match).

See phishsigs_howto.pdf "GDB format", it describes how to whitelist safebrowsing matches
in a local.gdb.

>
> Dave R.
>
> PS: As for Google's Safebrowsing list, they offer a page to check the
> status for any domain. They do have some transparency on why a domain was
> placed on the list, and links for web administrators to seek remediation.
> http://www.google.com/safebrowsing/diagnostic?site=bestwesternsupply.com

Best regards,
--Edwin
>
> --
> Dave Raynor
> Senior Research Engineer, VRT
>
>
> On Thu, Jun 7, 2012 at 2:26 PM, Alex <mysqlstudent [at] gmail> wrote:
>
>> Hi,
>>
>> How can I determine what domains the pattern
>> "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net"
>> contains? I thought it was only a single domain, but it appears to
>> contain numerous?
>>
>> If that's the case, then I'd prefer to not ignore the whole rule, but
>> whitelist one of the domains within the rule. Is that possible?
>>
>> If I were to disable this rule, would adding it as it is displayed
>> above to the ign2 file be the correct way? For some reason that
>> doesn't seem to work here.
>>
>> Thanks,
>> Alex
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cswiger at mac

Jun 7, 2012, 12:37 PM

Post #5 of 7 (819 views)
Permalink
Re: Identifying safebrowsing domains [In reply to]
On Jun 7, 2012, at 12:31 PM, Alex wrote:
> It seems to provide conflicting information. It says the site has
> distributed malware in the last 90 days, with 06/04/12 being the last
> day checked. However, it also says it hasn't hosted malware in the
> last 90 days. Am I missing something?

This tends to mean that the site itself does not host malware locally, but something on the site is referring to some other domain which does install malware. That could be malicious ads being shown, or cross-site forgery in blog comments, etc.

Take a look at a domain like:

http://www.google.com/safebrowsing/diagnostic?site=microsoft.com
http://www.google.com/safebrowsing/diagnostic?site=kshabazz.net

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mysqlstudent at gmail

Jun 7, 2012, 1:23 PM

Post #6 of 7 (817 views)
Permalink
Re: Identifying safebrowsing domains [In reply to]
Hi,

>> M:displayhostname.com:www.myrealhostname.com
>>
>> The M is the type flag for simple hostname comparisons. There are other
>> types for regular expressions if you need it.
>>
>> Replace the hostnames appropriately and add a line like that to your local
>> whitelist (.wdb not .ign2) and you should be good to go.
>
> That is correct for the anti-phishing feature, but it won't work
> for safebrowsing matches. (whitelist_check never reached, if url_hash_match).
>
> See phishsigs_howto.pdf "GDB format", it describes how to whitelist safebrowsing matches
> in a local.gdb.

Okay, that worked, thanks. Am I reading it correctly that the only way
to whitelist it is using its hash value?

That makes it tough to remember which is which, in case that's
necessary in the future.

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Jun 11, 2012, 7:49 AM

Post #7 of 7 (794 views)
Permalink
Re: Identifying safebrowsing domains [In reply to]
On 06/07/2012 11:23 PM, Alex wrote:
> Hi,
>
>>> M:displayhostname.com:www.myrealhostname.com
>>>
>>> The M is the type flag for simple hostname comparisons. There are other
>>> types for regular expressions if you need it.
>>>
>>> Replace the hostnames appropriately and add a line like that to your local
>>> whitelist (.wdb not .ign2) and you should be good to go.
>>
>> That is correct for the anti-phishing feature, but it won't work
>> for safebrowsing matches. (whitelist_check never reached, if url_hash_match).
>>
>> See phishsigs_howto.pdf "GDB format", it describes how to whitelist safebrowsing matches
>> in a local.gdb.
>
> Okay, that worked, thanks. Am I reading it correctly that the only way
> to whitelist it is using its hash value?

Currently yes.

--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.