clamav-users August 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Google Safebrowsing: listed in

Re: [Clamav-users] Google Safebrowsing: listed in clamav safebrowsing.cvd and 'white' status in StopBadware and 'not listed" at Google SafwBrowse status page

From: <casfre_at_nospam>
Date: Thu Aug 06 2009 - 15:28:30 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


Hi,

On Mon, Jul 27, 2009 at 11:31 AM, casfre@gmail.com<casfre@gmail.com> wrote:
> Hi Edwin,
>
> 2009/7/24 Török Edwin <edwintorok@gmail.com>:
>> On 2009-07-24 01:26, casfre@gmail.com wrote:
>>> Hi,
>>>
>>>    I need some help to understand this issue.
>>>
>>>    We are using safebrowsing.cvd (postfix/amavisd/clamd) and we
>>> started to get problems with two newsletters here [1] [2]
>>>
>>>    Messages are in HTML and have some 'links'. I tested all I could
>>> find and got the same result as [1][2] (except for some sites that had
>>> never been listed).
>>>
>>>    I used the SafeBrowsing 'diagnostic' tool and I got "This site is
>>> not currently listed as suspicious" for both sites [1][2].
>>>
>>>    I searched at StopBadware [3][4] and sites are 'white bullet' status.
>>>
>>>    Just 'owners' [5]can ask for a review but, before reporting to
>>> them, I would like to know if safebrowsing.cvd is ok in clamav.net.
>>>
>>>    If I missed something, please, help me to find the 'docs' to solve
>>> my question (for example, how can I know what is the 'content' in the
>>> email message contents that 'triggered' the safebrowsing.cvd
>>> signature?)
>>>
>>
>> You can run 'clamscan --debug yourfile.eml', and look for something like
>> this in the debug output:
>>
>> LibClamAV debug: Phishcheck:Checking url ....
>> LibClamAV debug: Looking up hash
>> 73D986E009065F182C10BCB6A45DB3D6EDA9498F8930654AF2653F8A938CD801 for ...
>> LibClamAV debug: Looking up hash
>> 7F6FD541E625E7BC5D5A64F166E47ECFE13735464A74D160B48265C162A71089 for ....
>> LibClamAV debug: prefix matched
>> LibClamAV debug: This hash matched:
>> 7F6FD541E625E7BC5D5A64F166E47ECFE13735464A74D160B48265C162A71089
>> LibClamAV debug: Hash matched for .....
>> LibClamAV debug: Phishcheck: Phishing scan result: Blacklisted
>
>   Sorry for taking so long to answer. I am a 'newbie' in this issues
> of hashs analysis.
>
>   Following your directions I found the 'triggering' URL. Nothing
> appears as suspected, but there is a 'link' to a .doc file. I will try
> to notify the site's owner.

I identified what URL is 'triggering' the virus identification as Safebrowsing.Suspected-malware_safebrowsing.net, but I when I searched the URL in http://google.com/safebrowsing/diagnostic?site=editau.com.br, it is not currently listed.

Please, could someone point me where to find 'docs' that help me how to find why safebrowsing.cld still has that signature?

I was thinking about contacting the site's owner, but how would I explain that the site is currently not listed in Google Safebrowsing search but it still is in safebrowsing.cld

Thank you for your attention.

Best regards.

Cássio



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml