On 2009-12-11 21:14, Tom Shaw wrote: > At 3:53 PM +0200 12/10/09, Török Edwin wrote: >> On 2009-12-10 15:41, Sundara Kaku wrote: >>> Hi, >>> >>> As you mentioned "clamav would scan the mail".. means..can i add >>> downloaded webpage as attachment to email with (javamail api) and save >>> that mail as eml file and send this file for scanning.. >>> >>> is this practically possible, does clamav scans html attachments for >>> phishing links and malicious javascript >>> >> >> No, it scans only the html body. > > Edwin, > > This thread brings up a number of items not in the docs. > > You state here that clamav only scans the html body. Hopefully you > don't really mean that the html head part and anything beont the /body > tag is not scanned.
No, I mean email body, that is a html file (as determined by clamav's file type detection). > > You also stated in this thread that to get clamav to process and > detect in an html file you would have to encapsulate it in an email. > WHy is that? The heuristic phishing detector only works on emails correctly, not websites by design, hence there is no point in running it on downloaded webpages. Why? Because a phishing email contains a link <a href="...evilurl..."> email of banksite </a>, a phishing website will contain a login form looking similar to a banksite. These are very different things. Safebrowsing was only used on links found in emails by design, links found in other HTML files are not checked to improve performance, and because there are other ways to protect web browsers from malicious URLs listed in the safebrowsing DB in near realtime (for example firefox). Most phishing signatures however work on HTML files too (regardless what they are contained in), using signatures type 3 and 0. Other phishing signatures are type 4 though, and work only on emails. These are Email.Phishing.RB.* which usually block often used phishing sites (and removed from the DB after a while when the link is no longer active/actively spammed). > Does this mean that if I use clamav to process a directory say, on my > server, that it will not detect bad html files or bad php files? This > true for graphics as well? > > What files are matched to signatures of type 1 trough 7? Type 4 only works on emails, anything else should work on the respective filetype regardless if they are packed inside some other file. Only exception is the heuristic phishing detection and safebrowsing which only work on email bodies. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
