Mailing List Archive

Hi there,

It has been a little difficult to make sense of your posts. Be aware
that not everyone will be using the same kind of mail client and that
on my screen things might not look the same as they do on yours. If
your English is not sufficiently good to explain your problem, perhaps
before you post here you can find a native English speaker to whom you
can try to explain it.

Joel asked you about the file type, but it seems that you did not
understand the question. For more information, see the ClamAV
documentation for writing signatures at

https://www.clamav.net/documents/creating-signatures-for-clamav

See also the 'sigtool' output in my message below.

On Mon, 24 Aug 2020, shishabert@vollbio.de wrote:

> clamscan doesn't identify cases where (real_URL != displayable_URL) as virus
> automatically by using the urlhaus.ndb: https:// urlhaus.abuse.ch/downloads/urlhaus.ndb - the urlhaus.ndb is not generated as *.pdb file https:// urlhaus.abuse.ch/api/

My clamd server does not seem to agree with you.

I picked a URLhaus signature at random and created a file for testing.
Note that in the output shown below I have obscured the URL itself by
substituting "xxxx" in place of the "http", and by wrapping the two
dots in [square brackets]. I also removed my bash prompt's context.
Those are the only changes I've made in the output.

Here's the .ndb file:

8<----------------------------------------------------------------------
$ ls -l /var/lib/clamav/databases/urlhaus.ndb
-rw-r--r-- 1 clamav clamav 823898 Aug 24 12:20 /var/lib/clamav/databases/urlhaus.ndb
8<----------------------------------------------------------------------

Here's a more or less random URLhaus signature:

8<----------------------------------------------------------------------
$ sigtool --datadir=/var/lib/clamav/databases -fURLhaus.22877 | sigtool --decode-sigs
VIRUS NAME: URLhaus.22877
FUNCTIONALITY LEVEL: >=48
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
xxxx://www[.]allloveseries[.]com/Jun2018/Invoices/
8<----------------------------------------------------------------------

Here's a test file:

8<----------------------------------------------------------------------
$ cat test2.txt
This is a text file containing a bare URL.

<A href="xxxx://www[.]allloveseries[.]com/Jun2018/Invoices/">

8<----------------------------------------------------------------------

Let's see if clamd finds it:

8<----------------------------------------------------------------------
$ file test2.txt
test2.txt: HTML document, ASCII text
$ clamdscan --config-file=/etc/mail/clamav/clamd.conf ~/test2.txt
/home/ged/test2.txt: Urlhaus.Malware.22877-7132725-0 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.025 sec (0 m 0 s)
8<----------------------------------------------------------------------

Yes, it did.

Now I remove one character from the HTML tag:

8<----------------------------------------------------------------------
$ vi test2.txt
$ cat test2.txt
This is a text file containing a bare URL.

<A href="xxxx://www[.]allloveseries[.]com/Jun2018/Invoices/"

8<----------------------------------------------------------------------

Let's see if clamd finds it:

8<----------------------------------------------------------------------
$ clamdscan --config-file=/etc/mail/clamav/clamd.conf ~/test2.txt
/home/ged/test2.txt: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.026 sec (0 m 0 s)
8<----------------------------------------------------------------------

No, it didn't find that. All I did was remove a single '>' character.

Fix the broken tag, add some junk for "display URL".

8<----------------------------------------------------------------------
$ vi test2.txt
$ cat test2.txt
This is a text file contianing a bare URL.

<A href="xxxx://www[.]allloveseries[.]com/Jun2018/Invoices/">silly_link</A>

8<----------------------------------------------------------------------

Let's see if clamd finds it now:

8<----------------------------------------------------------------------
$ clamdscan --config-file=/etc/mail/clamav/clamd.conf ~/test2.txt
/home/ged/test2.txt: Urlhaus.Malware.22877-7132725-0 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.012 sec (0 m 0 s)
8<----------------------------------------------------------------------

Yes it does.

The opening HTML tag must be complete, but there is no need even for a
display URL to exist and the closing tag ("</A>") need not be present.

So at least on my system clamdscan and clamd are behaving as I expect.

> is the real_URL directly in the HTML Mail wrote, clamscan dedect it correctly.
> Can anyone tell me, where is my settingsproblem to find?

I have very little experience of the URLhaus signatures, but from my
understanding of the way in which these things work I do not see how
the "display URL" could have had the effect which you described.

It is not clear to me that you have explained the problem adequately.
Perhaps you are trying to fix it before you have actually found it.

Note that if the target file type is 'HTML' (see the 'sigtool' output
above) clamd MUST recognize the file or stream as being of type HTML
for the signature to be applied during a scan. This may be the issue
you're having, rather than a problem with the real/displayed URLs.

Note also that some mail clients with graphical interfaces will do the
strangest things with _any_ text in a message which looks like a URL.
Sometimes, if the mail client tries to be too 'helpful', it can be
difficult to express these issues clearly in an email.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml