So that is a apparently a malicious site as determined by Urlhaus and is on their filter list. But how is it useful as a ClamAV signature? You are not going to be filtering URLs with ClamAV, right? And now it's blocking these emails because it contains this string.
Orion On 12/23/20 11:26 AM, eric-l...@truenet.com wrote: > Here's the signature decoded: > # sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig > VIRUS NAME: Urlhaus.Malware.452652-9766253-0 > FUNCTIONALITY LEVEL: >=48 > TARGET TYPE: HTML > OFFSET: * > DECODED SIGNATURE: > aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/ > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > > -----Original Message----- > From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of > Orion Poplawski > Sent: Wednesday, December 23, 2020 1:11 PM > To: ClamAV users ML <clamav-users@lists.clamav.net> > Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 > > Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0 > signature? We're seeing following URLs trigger it: > > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-fil > ter-online.txt > https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d > 5d2e877e120/urlhaus-filter-online.txt > https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-onl > ine.txt > https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.tx > t > > Which seems to be the online update URLs for the urlhaus filter. Does > ClamAV deem urlhaus a bad actor? > > Thanks, > Orion > > -- > Orion Poplawski > Manager of NWRA Technical Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > Boulder, CO 80301 https://www.nwra.com/ > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
