clamav-users March 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] ClamAV 0.95rc2 - 1159852 signat

Re: [Clamav-users] ClamAV 0.95rc2 - 1159852 signatures vs sigtool reporting 696491

From: Török Edwin <edwintorok_at_nospam>
Date: Tue Mar 24 2009 - 15:07:53 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


On 2009-03-24 17:04, Bill Landry wrote:
> Török Edwin wrote:
>
>
>> For whitelisting lada.cc you can use either:
>> X:(.+\.)?lada.cc([/?].*)?:(.+\.)?lada.cc([/?].*)?
>>
>> Or this one (but it will also whitelist URL mismatches from lada.cc to
>> anything, not recommended):
>> X:(.+\.)?lada.cc([/?].*)?:.+
>>
>> Or any other regular expression that whitelists what you want, the
>> format is described in docs/phishsigs_howto.pdf,
>> in this case it is: X:RealURL:DisplayedURL
>>
>
> Ok, I've reviewed the phishsigs_howto.pdf, but have failed in my efforts
> to create a whitelist entry based on the hash

"whitelist entry based on hash = per-entry whitelisting" I was referring to below, that will be in 0.95.1

> (rather than using a
> regular expression).

The only way (for now) is to use a regular expression.

> Here are the relevant lines from --debug output:
> ===
> LibClamAV debug: Phishcheck:Checking url http://lada.cc/</a->
> LibClamAV debug: Looking up hash
> 5B07A56EB8269FE807FE55828D69A56135A1E43B1CDD96432AC5DDFC75251142 for
> lada.cc/(8)</a(1)
> LibClamAV debug: Looking up hash
> F5B73C1339C8C9B2B9537F129D63F4ECA16E0346819FB417E643CDA7B9EFA09A for
> lada.cc/(8)</a(0)
> LibClamAV debug: prefix matched
> LibClamAV debug: Hash matched for: http://lada.cc/</a
> LibClamAV debug: Phishcheck:URL after cleanup: http://lada.cc->
> LibClamAV debug: Displayed 'url' is not url:
> LibClamAV debug: Phishing: looking up in whitelist: http://lada.cc:;
> host-only:0
> LibClamAV debug: Looking up in regex_list: http://lada.cc:/
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: Blacklisted
> LibClamAV debug: found Possibly Unwanted:
> Safebrowsing.Suspected-malware_safebrowsing.clamav.net
> ===
>
> Can you show me what a valid hash whitelist entry in local.wdb might
> look like for this hash?
>

For 0.95.1 I was thinking about something like this (not yet implemented): S:X:F5B73C1339C8C9B2B9537F129D63F4ECA16E0346819FB417E643CDA7B9EFA09A Best regards,
--Edwin



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml