On 2009-03-23 23:27, Bill Landry wrote: > Török Edwin wrote: > > >> They can be whitelisted by using .wdb entries [1], which allows you to >> use a POSIX regular expressions to whitelist any URL. >> (the original URL, not the hash). >> >> Since the entries in safebrowsing.cld change often whitelisting based on >> position in the .cld wouldn't work. >> If you need some local.ign-like whitelisting of specific entries, I >> think that could be implemented too. >> >> The clamscan --debug output reports both the URL and the hash that >> caused the detection, and adding the hash to a local.wdb file could >> whitelist that particular hash. >> Perhaps we could distribute a script in contrib/ that would generate a >> whitelist entry given a sample. Would that work for you? >> > > Hi Edwin, > > I didn't find a sample script in the contrib directory for this, but is > this the information I should be looking for from the output of > "clamdscan --debug": > > LibClamAV debug: Phishcheck:Checking url http://lada.cc/</a-> > LibClamAV debug: Looking up hash > 5B07A56EB8269FE807FE55828D69A56135A1E43B1CDD96432AC5DDFC75251142 for > lada.cc/(8)</a(1) > LibClamAV debug: Looking up hash > F5B73C1339C8C9B2B9537F129D63F4ECA16E0346819FB417E643CDA7B9EFA09A for > lada.cc/(8)</a(0) >
Yes, these are the hashes, the actual hash causing the match was the last one (before "Hash matched http://..."; message). > This shows 2 hashes, so I'm wondering what the format of the .wdb file > should look like? For whitelisting lada.cc you can use either: X:(.+\.)?lada.cc([/?].*)?:(.+\.)?lada.cc([/?].*)? Or this one (but it will also whitelist URL mismatches from lada.cc to anything, not recommended): X:(.+\.)?lada.cc([/?].*)?:.+ Or any other regular expression that whitelists what you want, the format is described in docs/phishsigs_howto.pdf, in this case it is: X:RealURL:DisplayedURL The per-entry whitelisting and other features we discussed will be in 0.95.1: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1482 > I'm assuming the file should be named safebrowsing.wdb? > It doesn't matter what the name is, I'd suggest using local.wdb. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
