Lilia - Thanks for the response. We're seeing some others getting triggered as well:
Virus Urlhaus.Malware.490516-9766015-0: 10.21.2.5 https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt: 2 Time(s) 10.21.2.5 https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt: 2 Time(s) 10.21.2.5 https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt: 1 Time(s) 10.21.2.5 https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt: 1 Time(s) 10.21.2.5 https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt: 1 Time(s) Virus Urlhaus.Malware.161756-8797115-0: 10.10.20.7 https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc: 1 Time(s) 10.11.1.3 https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc: 1 Time(s) Orion On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote: > Hi Orion! > > Thank you for reporting this. URLhaus is a partner that generates a list of > ClamAV signatures to target malicious URLs. Signature > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML > files, which is why it is alerting on the URLs you mentioned. We found these > FPs some weeks ago and added an extra check on new ClamAV signatures to > prevent them from alerting on legitimate URLhaus content. We are currently > updating older ClamAV signatures to ensure they don't FP on non-malicious > HTML files. > > Best regards, > > Lilia Gonzalez > Malware Research Team > Cisco Talos > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <or...@nwra.com > <mailto:or...@nwra.com>> wrote: > > Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0 > signature? We're seeing following URLs trigger it: > > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt> > > https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt> > > https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt > > <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt> > > https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt> > > https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt > > <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt> > > Which seems to be the online update URLs for the urlhaus filter. Does > ClamAV > deem urlhaus a bad actor? > > Thanks, > Orion > > -- > Orion Poplawski > Manager of NWRA Technical Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > <mailto:or...@nwra.com> > Boulder, CO 80301 https://www.nwra.com/ > <https://www.nwra.com/> > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq> > > http://www.clamav.net/contact.html#ml > <http://www.clamav.net/contact.html#ml> > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
