Mailing List Archive

[clamav-users] PhishingScanURLs no/yes
Hi

Can anybody explain why when  "PhishingScanURLs  no "   I get Loaded
9042923 signatures in logs and when "PhishingScanURLs  yes" I get Loaded
11256306 signatures

I would have expected the difference to be the count of urls in
daily.pdb (263) not 2,213,383.  What else is not getting loaded when
"PhishingScanURLs  no" is set.

Regards Paul



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] PhishingScanURLs no/yes [ In reply to ]
Hi there,

On Mon, 10 Aug 2020, Paul via clamav-users wrote:

> Can anybody explain why when? "PhishingScanURLs? no "?? I get Loaded 9042923
> signatures in logs and when "PhishingScanURLs? yes" I get Loaded 11256306
> signatures
>
> I would have expected the difference to be the count of urls in daily.pdb
> (263) not 2,213,383.? What else is not getting loaded when "PhishingScanURLs?
> no" is set.

I suspect at least one fundamental misunderstanding. It isn't clear
to me how you have reached the conclusion that the 'PhishingScanURLs'
configuration option should have the effect which you describe (nor is
it clear why you mention only 'daily.pdb'). ClamAV signatures have a
complex structure. Without a good understanding of it, you'll find it
difficult to work with them. Please see the documentation, especially

http://www.clamav.net/documents/phishsigs#hints

which should explain why the number of URLs which you have counted (by
_whatever_ method) in any of the signature databases is not relevant
to the observed difference in the numbers of signatures loaded.

The entry for the 'PhishingScanURLs' configuration option in the man
page for clamd.conf may also help.

Apart from curiosity, is there some deeper reason behind the question
such as memory consumption, performance, vulnerability, ...? It's a
great deal more important to understand the limitations and potential
downsides of enabling certain features than it is to count signatures.
I'm tempted to say that a bare signature count is, to all intents and
purposes, more or less meaningless.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] PhishingScanURLs no/yes [ In reply to ]
On 10/08/2020 15:10, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Mon, 10 Aug 2020, Paul via clamav-users wrote:
>
>> Can anybody explain why when "PhishingScanURLs? no "?? I get Loaded
>> 9042923 signatures in logs and when "PhishingScanURLs? yes" I get
>> Loaded 11256306 signatures
>>
>> I would have expected the difference to be the count of urls in
>> daily.pdb (263) not 2,213,383.? What else is not getting loaded when
>> "PhishingScanURLs? no" is set.
>
> I suspect at least one fundamental misunderstanding.? It isn't clear
> to me how you have reached the conclusion that the 'PhishingScanURLs'
> configuration option should have the effect which you describe (nor is
> it clear why you mention only 'daily.pdb').? ClamAV signatures have a
> complex structure.? Without a good understanding of it, you'll find it
> difficult to work with them.? Please see the documentation, especially
>
> http://www.clamav.net/documents/phishsigs#hints
>
> which should explain why the number of URLs which you have counted (by
> _whatever_ method) in any of the signature databases is not relevant
> to the observed difference in the numbers of signatures loaded.
>
> The entry for the 'PhishingScanURLs' configuration option in the man
> page for clamd.conf may also help.
>
> Apart from curiosity, is there some deeper reason behind the question
> such as memory consumption, performance, vulnerability, ...?? It's a
> great deal more important to understand the limitations and potential
> downsides of enabling certain features than it is to count signatures.
> I'm tempted to say that a bare signature count is, to all intents and
> purposes, more or less meaningless.
>
Hi

Further digging has led me to find that when 'PhishingScanURLs no" is
set the signatures in safebrowsing.cld are not loaded by clamd.


paule@larch:clamscan -d safebrowsing.cld /etc/hosts
/etc/hosts: OK

----------- SCAN SUMMARY -----------
Known viruses: 2213119
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 3.954 sec (0 m 3 s)

Thanks Paul



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] PhishingScanURLs no/yes [ In reply to ]
On 11/08/2020 00:53, Paul via clamav-users wrote:
>
[SNIP]
>
> Further digging has led me to find that when 'PhishingScanURLs no" is
> set the signatures in safebrowsing.cld are not loaded by clamd.
>
Well, there's a win for plain and simple use of the English language (or
a close approximation thereof. ;-) ).

Cheers,
Gary B-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] PhishingScanURLs no/yes [ In reply to ]
Hi there,

On Tue, 11 Aug 2020, Gary R. Schmidt wrote:

> On 11/08/2020 00:53, Paul via clamav-users wrote:
>>
> [SNIP]
>> Further digging has led me to find that when 'PhishingScanURLs no" is set
>> the signatures in safebrowsing.cld are not loaded by clamd.
>>
> Well, there's a win for plain and simple use of the English language (or a
> close approximation thereof. ;-) ).

[quote From "Prejudices: Second Series" by H.L. Mencken, 1880-1956]

Explanations exist; they have existed for all time; there is always a
well-known solution to every human problem - neat, plausible, and wrong.

[/quote]

Quoting from the freshclam.conf 'man' page:

"SafeBrowsing BOOL
This option enables support for Google Safe Browsing. When activated
for the first time, freshclam will download a new database file
(safebrowsing.cvd) which will be automatically loaded by clamd and
clamscan during the next reload, provided that the heuristic
phishing de? tection is turned on. This database includes
information about websites that may be phishing sites or possible
sources of malware. When us? ing this option, it's mandatory to run
freshclam at least every 30 minutes. Freshclam uses the ClamAV's
mirror infrastructure to distribute the database and its updates but
all the contents are provided under Google's terms of use. See
https://support.google.com/code/answer/70015 and
https://www.clamav.net/documents/safebrowsing for more information.
Default: no"

And at http://www.clamav.net/documents/safebrowsing:

"The Safebrowsing database is packed inside a CVD file and distributed
through our mirror network. This feature is disabled by default on all
installations and should be enabled with extreme care."
...
"There is no option in clamd.conf. If the engine finds Google Safe
Browsing files in the database directory, ClamAV will enable safe
browsing. To turn it off you need to update freshclam.conf and remove
the safebrowsing files from the database directory before restarting
clamd."

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml