Hi, On Mon, Jul 27, 2009 at 11:31 AM, cas...@gmail.com<cas...@gmail.com> wrote: > Hi Edwin, > > 2009/7/24 Török Edwin <edwinto...@gmail.com>: >> On 2009-07-24 01:26, cas...@gmail.com wrote: >>> Hi, >>> >>> I need some help to understand this issue. >>> >>> We are using safebrowsing.cvd (postfix/amavisd/clamd) and we >>> started to get problems with two newsletters here [1] [2] >>> >>> Messages are in HTML and have some 'links'. I tested all I could >>> find and got the same result as [1][2] (except for some sites that had >>> never been listed). >>> >>> I used the SafeBrowsing 'diagnostic' tool and I got "This site is >>> not currently listed as suspicious" for both sites [1][2]. >>> >>> I searched at StopBadware [3][4] and sites are 'white bullet' status. >>> >>> Just 'owners' [5]can ask for a review but, before reporting to >>> them, I would like to know if safebrowsing.cvd is ok in clamav.net. >>> >>> If I missed something, please, help me to find the 'docs' to solve >>> my question (for example, how can I know what is the 'content' in the >>> email message contents that 'triggered' the safebrowsing.cvd >>> signature?) >>> >> >> You can run 'clamscan --debug yourfile.eml', and look for something like >> this in the debug output: >> >> LibClamAV debug: Phishcheck:Checking url .... >> LibClamAV debug: Looking up hash >> 73D986E009065F182C10BCB6A45DB3D6EDA9498F8930654AF2653F8A938CD801 for ... >> LibClamAV debug: Looking up hash >> 7F6FD541E625E7BC5D5A64F166E47ECFE13735464A74D160B48265C162A71089 for .... >> LibClamAV debug: prefix matched >> LibClamAV debug: This hash matched: >> 7F6FD541E625E7BC5D5A64F166E47ECFE13735464A74D160B48265C162A71089 >> LibClamAV debug: Hash matched for ..... >> LibClamAV debug: Phishcheck: Phishing scan result: Blacklisted > > Sorry for taking so long to answer. I am a 'newbie' in this issues > of hashs analysis. > > Following your directions I found the 'triggering' URL. Nothing > appears as suspected, but there is a 'link' to a .doc file. I will try > to notify the site's owner.
I identified what URL is 'triggering' the virus identification as Safebrowsing.Suspected-malware_safebrowsing.net, but I when I searched the URL in http://google.com/safebrowsing/diagnostic?site=editau.com.br, it is not currently listed. Please, could someone point me where to find 'docs' that help me how to find why safebrowsing.cld still has that signature? I was thinking about contacting the site's owner, but how would I explain that the site is currently not listed in Google Safebrowsing search but it still is in safebrowsing.cld Thank you for your attention. Best regards. Cássio _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
