Mailing List Archive

[clamav-users] Question about Urlhaus.Malware.452652-9766253-0
Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
signature? We're seeing following URLs trigger it:

https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt

Which seems to be the online update URLs for the urlhaus filter. Does ClamAV
deem urlhaus a bad actor?

Thanks,
Orion

--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
Here's the signature decoded:
# sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig
VIRUS NAME: Urlhaus.Malware.452652-9766253-0
FUNCTIONALITY LEVEL: >=48
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
Orion Poplawski
Sent: Wednesday, December 23, 2020 1:11 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
signature? We're seeing following URLs trigger it:

https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-fil
ter-online.txt
https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d
5d2e877e120/urlhaus-filter-online.txt
https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-onl
ine.txt
https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.tx
t

Which seems to be the online update URLs for the urlhaus filter. Does
ClamAV deem urlhaus a bad actor?

Thanks,
Orion

--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
Orion Poplawski wrote:
> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature? We're seeing following URLs trigger it:
>
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
>
> Which seems to be the online update URLs for the urlhaus filter. Does ClamAV
> deem urlhaus a bad actor?

No, but that signature matches a line in that file. Which should be
expected since the Clam signature is presumably derived from the
original source for that file.

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
So that is a apparently a malicious site as determined by Urlhaus and is on
their filter list. But how is it useful as a ClamAV signature? You are not
going to be filtering URLs with ClamAV, right? And now it's blocking these
emails because it contains this string.

Orion

On 12/23/20 11:26 AM, eric-list@truenet.com wrote:
> Here's the signature decoded:
> # sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig
> VIRUS NAME: Urlhaus.Malware.452652-9766253-0
> FUNCTIONALITY LEVEL: >=48
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> Orion Poplawski
> Sent: Wednesday, December 23, 2020 1:11 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0
>
> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature? We're seeing following URLs trigger it:
>
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-fil
> ter-online.txt
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d
> 5d2e877e120/urlhaus-filter-online.txt
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-onl
> ine.txt
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.tx
> t
>
> Which seems to be the online update URLs for the urlhaus filter. Does
> ClamAV deem urlhaus a bad actor?
>
> Thanks,
> Orion
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/
Re: [clamav-users] [SUSPICIOUS] Re: Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
You should set it to ignore if you don’t want to use it.

Sent from my ? iPad

> On Dec 30, 2020, at 20:16, Orion Poplawski <orion@nwra.com> wrote:
>
> ?So that is a apparently a malicious site as determined by Urlhaus and is on
> their filter list. But how is it useful as a ClamAV signature? You are not
> going to be filtering URLs with ClamAV, right? And now it's blocking these
> emails because it contains this string.
>
> Orion
>
>> On 12/23/20 11:26 AM, eric-list@truenet.com wrote:
>> Here's the signature decoded:
>> # sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig
>> VIRUS NAME: Urlhaus.Malware.452652-9766253-0
>> FUNCTIONALITY LEVEL: >=48
>> TARGET TYPE: HTML
>> OFFSET: *
>> DECODED SIGNATURE:
>> aboveandbelow.com.au/cgi-bin/http://secure-web.cisco.com/1KrQhTpf_T45-vt4iCCgGBG_B9HfPxndZIsK-RNNU240xHur5EpPitlcpr-g4xr_1ClENrrHXqFpa9ownLxSrggMUNPXDwPkKvA-yYoVYza3qde66kaQD3D5MMIZHJhNw2M7aGNhvNnsJj9dxx_whQnUKqYBHUhdN5D9otZenUiDioNMzDh7JlhxlY_EHrn5FPAxwX5hgZ5FksNn2K2spCpJ2gbOH34iTuV-EUEWe1yiiPX3IKOSppTgUVUpAbYzUXhkk-Vgl69yFT2EHT_971C9v_amTov_HfvkglOTCUKuQSOqLzobqHkncsLkVUZAg/http%3A%2F%2Fsites%2Fb4q7eajmmm2moxgkq%2F
>>
>> Sincerely,
>>
>> Eric Tykwinski
>> TrueNet, Inc.
>> P: 610-429-8300
>>
>> -----Original Message-----
>> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
>> Orion Poplawski
>> Sent: Wednesday, December 23, 2020 1:11 PM
>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>> Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0
>>
>> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
>> signature? We're seeing following URLs trigger it:
>>
>> https://secure-web.cisco.com/1pR2NXdSHo9SticWKbaZbeF2X0uiBYXQnBkhgJSkyIewWwKwN4nWs3wp_vvLNDZahf6WsTI6WMinVkBhq3_k8SaxXdDw6Lk2G2vHrIiSIPoDPYsk-2TulvM3152rtCCaFlCSOeTtsiIEIPmOVmjcI5SP26xMEf49zs3d2FxYoU2mOWIRmnDCMoOJRaYhFdqjlKOitFN-QE1ePaWCrT5Lc8gW9uTzg3lLjVrNi9hXisbC5o4r1xgiwfb886ET-hIqRDS1emF7n4FWreLJnqxFEy0idUWkB-9lbsILUO-w565JaNGjgiaYmM2VHn4l_YQVa/https%3A%2F%2Fcurben.gitlab.io%2Fmalware-filter%2Furlhaus-filter-online.txt
>> https://secure-web.cisco.com/1otQBBMC_uiSZtPh_m0t3sYEgtt3-512a-K0LFu1gURgkL9fIQCCGzzqWeXU8uS_0Dgay8vOxMH-YpnmNykB-3nii54nEQwBRJmpCfmg5q1xxqBpTOJ16LI1aclckhUzDYYS675GGEVOHMkGQq6Gj8PlIKZmSWL8H8fr4OZJFC2Gai2yNGAXGw16Th6DqzBlkURTINsDgiKvYJiQifBtbYFQXE_Znk6hSzT8gzURARMMppP8ItevTmGW7Gw9Ov9cXkv07L8P0-JVXxl2TGbLpdtZH2ZpoHTMk7-iLSGiNoRH_GI_s8g0En2pQtr4ug4Oa/https%3A%2F%2Fraw.githubusercontent.com%2Fcurbengh%2Furlhaus-filter%2Fmaster%2Furlhaus-fil
>> ter-online.txt
>> https://secure-web.cisco.com/1CFBzUu9M23G0m16tDV1V4WsBOtgzq-D4CIdrKttdcl46NHJ0nPLEwkUy1-TjeJvVHg7Vb-o85yKPa2MhiLJdm0V0uondQRk_v1ifUjfriNEVkwVzvmnEpl78rdMnVdf8RjzT-g99Rf9borvu1iozTMxf1QBJ6D0EGa09ss1JY8ILhLoR_15e8JvRI9pvWXrajawbwRQCPg0mlniNLcn6N53sBdl6TXNK9-Bh_zVGdQSfYSVVQSp0jK0R87P1VnSOc0uEG3Nw5DXD04ANDx1bu0PTHIRrJUrLAs9jDFfD3uIbzpvXhyTaO5miaXEKel5r/https%3A%2F%2Fgitcdn.xyz%2Fcdn%2Fcurbengh%2Furlhaus-filter%2Fc499fcbe5e95f61bbe889f4e3a19d
>> 5d2e877e120/urlhaus-filter-online.txt
>> https://secure-web.cisco.com/1mcKjtVAcoLvjdBzJ0-IO9RmIe9KNLGT1haB2pa-G-2YryqQsagx6LU6dLjSsj82_6gn5pDG_-z0u3jyazJXTk6yDAZNaM-tOB9eCoqrFMp6L2wyawDkhhkVgA8X-iQj0Y1FPDm0RjniktIszu27yKGQ4pLctIXCA3tDkezC-bhywIijWdblAC1kP6ZvPuVfUTOGOOMhdU_fHvejAtdi4Gj0dD88bm0HsR6sTfHTmhoaw9F_aUKa3a_oxj_5CnfB2-heiHWADdbjo_-rK3xFF59rmucVbC4QAleL-5NcWbrW85t26RJOLdbmmlpTPGG_i/https%3A%2F%2Fcdn.statically.io%2Fgl%2Fcurben%2Furlhaus-filter%2Fmaster%2Furlhaus-filter-onl
>> ine.txt
>> https://secure-web.cisco.com/1BEcuZi_34vlCSCmEJgNc-FoxYbN_h-2eVornjdwNeab642SBdYLwl5VlwCvKZmAkaxSjZO8kwcecfeb3Alt92c5jeQl2kwrJ8aoGHif-jIqXSX_l2tbwOEcpT6I_eKPmDt9mjZVFd4EdTHYhOrsAUlOndx2euYAIhSMbWCKsBtgM6Wswz5PGhMyNx-5Z2EDAEJaKaKDZncfX3nEbSyRp03X9YmlKI08USc4pItrCEZrPl25O97UatMjBGeVC_s0ILvHYTTf9r33G7e020fIpLJNV_pqfNwm1Qwm0Y0AZXSh1_4zkI0vp41YlFKHsxnen/https%3A%2F%2Fcdn.jsdelivr.net%2Fgh%2Fcurbengh%2Furlhaus-filter%2Furlhaus-filter-online.tx
>> t
>>
>> Which seems to be the online update URLs for the urlhaus filter. Does
>> ClamAV deem urlhaus a bad actor?
>>
>> Thanks,
>> Orion
>>
>> --
>> Orion Poplawski
>> Manager of NWRA Technical Systems 720-772-5637
>> NWRA, Boulder/CoRA Office FAX: 303-415-9702
>> 3380 Mitchell Lane orion@nwra.com
>> Boulder, CO 80301 https://secure-web.cisco.com/12_oK30bNVh164TB1FFZKiuvoSE69HpE3_Fnjs3nUZi7AfimV1olRKsCQl2sQEbx9Nb-Z_QZOS3rfbi0nh5Wb-x1q96tO94N16peUh0B66x9Plv7t7dVPCL4b-bkseFfYmRFSYOHwgnIB4cRkMAuRY1loryvxw6WVbIUy0JMhMql254oVvMSVbEzHlzp9kco1VPj4FAeKZB68Dan_qfjZvuDs0ijIy9sKvfqxxA6rEvKMHO-qlUPp6xojP2s0wH6hBCuiCs1hat6YzSKY2KFXuziXuLJiUEN7tAYeyoohQJsVQF3cAakOC7tOI3VrhLrm/https%3A%2F%2Fwww.nwra.com%2F
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://secure-web.cisco.com/1I6wUbROPft0npsgpFm06ly2G0AT8RL034kt0yavtEUjJadbLD0PBKW576ruHUgpzWEKg_CPFHr_njOE2Y_Kzre-fBfl8cmdJT0Cx5aDz3rxcxkJZen-Nrw1-HFRk_QDk3OpUW1jeakh_Pr0O7RT60BYdCr-RV3x-jmtNXy9qtuhj58D9eAk3t5p-q1mfmjxFZueBV3QiHTRgqwZ86WbukzgT2sE_eikWrcBfdhZJ2j4TdhEgDBAAHjG9eYye9URVGA7IGndvYlQr7GO_lVNPAD0KGlTD8WpVC7TyyhvpQA_c-j0665AFKeSL9-Lu4obb/https%3A%2F%2Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://secure-web.cisco.com/1GWYRV-jJ5H1vfUAt2cjX4cEtMkS4bKR-Y5pIH9S6Ue_AFu8G5liS-y3pfMKTVT2xn7l5Lmkde5iRLoJgnDhgqyQh_Lj9jm3tk7gPAEf5lBbrY7FsoHQUKjPAw8dZpu4RDU0EsJfiZUtmgC7hEz5VQWkmtJPgBqTrPYoziYKUC4Ef3M9FHbU-1rM82UyB-DJ9nB81Dmpgx3S_iTwub3TDhTgqN7fl1mwVZykTeu4zO8CLGgYpm6xL4vDukC0seNRPaZ7SF-akPwCOuIMwdzBd7ghPQkusqAdr3Juy-VnSYJhHDPYjV_bRqkscDL12ARIO/https%3A%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq
>>
>> http://secure-web.cisco.com/1rJnlxfZrPLU3O9kU2NMWxVhD9eeBsZJaE3dIhCjph1secM8Ma9m08hbtej_oi-kr8wUBqXLIRTIwUAhEXf5pYueNGTrRq_Oun6jFDRgGDnicobM4tpBnIoQvg_0XnmPBFOj_XuDs-yuCu5wIIASS4owZwGSiFfE47C1HWmTQ4XQrqlwYp6OPqY9przSoEtHOJzIgIytxUz5-iIGKTj-wBGXpxHN3LyoX6MVR_rOa8_4bHsmx2AVku_UDWldcdsSYjUjxNC0ZMhuVKLyakVBIPFqKxGiScVvpVKVQYG0AWIOlptyt22ThwcEnRBy5Eg9P/http%3A%2F%2Fwww.clamav.net%2Fcontact.html%23ml
>>
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://secure-web.cisco.com/1I6wUbROPft0npsgpFm06ly2G0AT8RL034kt0yavtEUjJadbLD0PBKW576ruHUgpzWEKg_CPFHr_njOE2Y_Kzre-fBfl8cmdJT0Cx5aDz3rxcxkJZen-Nrw1-HFRk_QDk3OpUW1jeakh_Pr0O7RT60BYdCr-RV3x-jmtNXy9qtuhj58D9eAk3t5p-q1mfmjxFZueBV3QiHTRgqwZ86WbukzgT2sE_eikWrcBfdhZJ2j4TdhEgDBAAHjG9eYye9URVGA7IGndvYlQr7GO_lVNPAD0KGlTD8WpVC7TyyhvpQA_c-j0665AFKeSL9-Lu4obb/https%3A%2F%2Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://secure-web.cisco.com/1GWYRV-jJ5H1vfUAt2cjX4cEtMkS4bKR-Y5pIH9S6Ue_AFu8G5liS-y3pfMKTVT2xn7l5Lmkde5iRLoJgnDhgqyQh_Lj9jm3tk7gPAEf5lBbrY7FsoHQUKjPAw8dZpu4RDU0EsJfiZUtmgC7hEz5VQWkmtJPgBqTrPYoziYKUC4Ef3M9FHbU-1rM82UyB-DJ9nB81Dmpgx3S_iTwub3TDhTgqN7fl1mwVZykTeu4zO8CLGgYpm6xL4vDukC0seNRPaZ7SF-akPwCOuIMwdzBd7ghPQkusqAdr3Juy-VnSYJhHDPYjV_bRqkscDL12ARIO/https%3A%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq
>>
>> http://secure-web.cisco.com/1rJnlxfZrPLU3O9kU2NMWxVhD9eeBsZJaE3dIhCjph1secM8Ma9m08hbtej_oi-kr8wUBqXLIRTIwUAhEXf5pYueNGTrRq_Oun6jFDRgGDnicobM4tpBnIoQvg_0XnmPBFOj_XuDs-yuCu5wIIASS4owZwGSiFfE47C1HWmTQ4XQrqlwYp6OPqY9przSoEtHOJzIgIytxUz5-iIGKTj-wBGXpxHN3LyoX6MVR_rOa8_4bHsmx2AVku_UDWldcdsSYjUjxNC0ZMhuVKLyakVBIPFqKxGiScVvpVKVQYG0AWIOlptyt22ThwcEnRBy5Eg9P/http%3A%2F%2Fwww.clamav.net%2Fcontact.html%23ml
>>
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion@nwra.com
> Boulder, CO 80301 https://secure-web.cisco.com/12_oK30bNVh164TB1FFZKiuvoSE69HpE3_Fnjs3nUZi7AfimV1olRKsCQl2sQEbx9Nb-Z_QZOS3rfbi0nh5Wb-x1q96tO94N16peUh0B66x9Plv7t7dVPCL4b-bkseFfYmRFSYOHwgnIB4cRkMAuRY1loryvxw6WVbIUy0JMhMql254oVvMSVbEzHlzp9kco1VPj4FAeKZB68Dan_qfjZvuDs0ijIy9sKvfqxxA6rEvKMHO-qlUPp6xojP2s0wH6hBCuiCs1hat6YzSKY2KFXuziXuLJiUEN7tAYeyoohQJsVQF3cAakOC7tOI3VrhLrm/https%3A%2F%2Fwww.nwra.com%2F
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://secure-web.cisco.com/1I6wUbROPft0npsgpFm06ly2G0AT8RL034kt0yavtEUjJadbLD0PBKW576ruHUgpzWEKg_CPFHr_njOE2Y_Kzre-fBfl8cmdJT0Cx5aDz3rxcxkJZen-Nrw1-HFRk_QDk3OpUW1jeakh_Pr0O7RT60BYdCr-RV3x-jmtNXy9qtuhj58D9eAk3t5p-q1mfmjxFZueBV3QiHTRgqwZ86WbukzgT2sE_eikWrcBfdhZJ2j4TdhEgDBAAHjG9eYye9URVGA7IGndvYlQr7GO_lVNPAD0KGlTD8WpVC7TyyhvpQA_c-j0665AFKeSL9-Lu4obb/https%3A%2F%2Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://secure-web.cisco.com/1GWYRV-jJ5H1vfUAt2cjX4cEtMkS4bKR-Y5pIH9S6Ue_AFu8G5liS-y3pfMKTVT2xn7l5Lmkde5iRLoJgnDhgqyQh_Lj9jm3tk7gPAEf5lBbrY7FsoHQUKjPAw8dZpu4RDU0EsJfiZUtmgC7hEz5VQWkmtJPgBqTrPYoziYKUC4Ef3M9FHbU-1rM82UyB-DJ9nB81Dmpgx3S_iTwub3TDhTgqN7fl1mwVZykTeu4zO8CLGgYpm6xL4vDukC0seNRPaZ7SF-akPwCOuIMwdzBd7ghPQkusqAdr3Juy-VnSYJhHDPYjV_bRqkscDL12ARIO/https%3A%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq
>
> http://secure-web.cisco.com/1rJnlxfZrPLU3O9kU2NMWxVhD9eeBsZJaE3dIhCjph1secM8Ma9m08hbtej_oi-kr8wUBqXLIRTIwUAhEXf5pYueNGTrRq_Oun6jFDRgGDnicobM4tpBnIoQvg_0XnmPBFOj_XuDs-yuCu5wIIASS4owZwGSiFfE47C1HWmTQ4XQrqlwYp6OPqY9przSoEtHOJzIgIytxUz5-iIGKTj-wBGXpxHN3LyoX6MVR_rOa8_4bHsmx2AVku_UDWldcdsSYjUjxNC0ZMhuVKLyakVBIPFqKxGiScVvpVKVQYG0AWIOlptyt22ThwcEnRBy5Eg9P/http%3A%2F%2Fwww.clamav.net%2Fcontact.html%23ml
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
Hi Orion!

Thank you for reporting this. URLhaus is a partner that generates a list of
ClamAV signatures to target malicious URLs. Signature
Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
files, which is why it is alerting on the URLs you mentioned. We found
these FPs some weeks ago and added an extra check on new ClamAV signatures
to prevent them from alerting on legitimate URLhaus content. We are
currently updating older ClamAV signatures to ensure they don't FP on
non-malicious HTML files.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion@nwra.com> wrote:

> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature? We're seeing following URLs trigger it:
>
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
>
> Which seems to be the online update URLs for the urlhaus filter. Does
> ClamAV
> deem urlhaus a bad actor?
>
> Thanks,
> Orion
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
Lilia -

  Thanks for the response.   We're seeing some others getting triggered as well:

    Virus Urlhaus.Malware.490516-9766015-0:
       10.21.2.5
https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt: 2 Time(s)
       10.21.2.5
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt:
2 Time(s)
       10.21.2.5
https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt:
1 Time(s)
       10.21.2.5
https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt:
1 Time(s)
       10.21.2.5
https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt:
1 Time(s)

Virus Urlhaus.Malware.161756-8797115-0:
10.10.20.7 https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc: 1 Time(s)
10.11.1.3 https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc: 1 Time(s)


Orion

On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> Hi Orion!
>
> Thank you for reporting this. URLhaus is a partner that generates a list of
> ClamAV signatures to target malicious URLs. Signature
> Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> files, which is why it is alerting on the URLs you mentioned. We found these
> FPs some weeks ago and added an extra check on new ClamAV signatures to
> prevent them from alerting on legitimate URLhaus content. We are currently
> updating older ClamAV signatures to ensure they don't FP on non-malicious
> HTML files.
>
> Best regards,
>
> Lilia Gonzalez
> Malware Research Team
> Cisco Talos
>
> On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion@nwra.com
> <mailto:orion@nwra.com>> wrote:
>
> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature?  We're seeing following URLs trigger it:
>
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>
>
> Which seems to be the online update URLs for the urlhaus filter.  Does
> ClamAV
> deem urlhaus a bad actor?
>
> Thanks,
>   Orion
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion@nwra.com
> <mailto:orion@nwra.com>
> Boulder, CO 80301                 https://www.nwra.com/
> <https://www.nwra.com/>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
Hi Orion!

Those NBD signatures were updated at the beginning of the week and should
not FP anymore. Please update your ClamAV db and let us know if the issue
persists.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <orion@nwra.com> wrote:

> Lilia -
>
> Thanks for the response. We're seeing some others getting triggered as
> well:
>
> Virus Urlhaus.Malware.490516-9766015-0:
> 10.21.2.5
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt: 2
> Time(s)
> 10.21.2.5
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 2 Time(s)
> 10.21.2.5
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
> 10.21.2.5
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
> 10.21.2.5
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
> Virus Urlhaus.Malware.161756-8797115-0:
> 10.10.20.7
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
> 1 Time(s)
> 10.11.1.3
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
> 1 Time(s)
>
>
> Orion
>
> On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Thank you for reporting this. URLhaus is a partner that generates a list
> of
> > ClamAV signatures to target malicious URLs. Signature
> > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> > files, which is why it is alerting on the URLs you mentioned. We found
> these
> > FPs some weeks ago and added an extra check on new ClamAV signatures to
> > prevent them from alerting on legitimate URLhaus content. We are
> currently
> > updating older ClamAV signatures to ensure they don't FP on non-malicious
> > HTML files.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion@nwra.com
> > <mailto:orion@nwra.com>> wrote:
> >
> > Can anyone give me some details about the
> Urlhaus.Malware.452652-9766253-0
> > signature? We're seeing following URLs trigger it:
> >
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> >
> > Which seems to be the online update URLs for the urlhaus filter.
> Does
> > ClamAV
> > deem urlhaus a bad actor?
> >
> > Thanks,
> > Orion
> >
> > --
> > Orion Poplawski
> > Manager of NWRA Technical Systems 720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane orion@nwra.com
> > <mailto:orion@nwra.com>
> > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> >
> > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
>
>
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
Lilia -

Virus database is updated daily and updated last night. Still seeing one
this morning:

Virus Urlhaus.Malware.364328-9787819-0:

https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
1 Time(s)

Though that is a different signature.

Orion

On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> Hi Orion!
>
> Those NBD signatures were updated at the beginning of the week and should not
> FP anymore. Please update your ClamAV db and let us know if the issue persists.
>
> Best regards,
>
> Lilia Gonzalez
>  Malware Research Team
>  Cisco Talos
>
>
> On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <orion@nwra.com
> <mailto:orion@nwra.com>> wrote:
>
> Lilia -
>
>   Thanks for the response.   We're seeing some others getting triggered as
> well:
>
>     Virus Urlhaus.Malware.490516-9766015-0:
>        10.21.2.5
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>: 2 Time(s)
>        10.21.2.5
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>:
> 2 Time(s)
>        10.21.2.5
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>:
> 1 Time(s)
>        10.21.2.5
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>:
> 1 Time(s)
>        10.21.2.5
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt>:
> 1 Time(s)
>
>     Virus Urlhaus.Malware.161756-8797115-0:
>        10.10.20.7
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>:
> 1 Time(s)
>        10.11.1.3
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>:
> 1 Time(s)
>
>
> Orion
>
> On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Thank you for reporting this. URLhaus is a partner that generates a list of
> > ClamAV signatures to target malicious URLs. Signature
> > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> > files, which is why it is alerting on the URLs you mentioned. We found these
> > FPs some weeks ago and added an extra check on new ClamAV signatures to
> > prevent them from alerting on legitimate URLhaus content. We are currently
> > updating older ClamAV signatures to ensure they don't FP on non-malicious
> > HTML files.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion@nwra.com
> <mailto:orion@nwra.com>
> > <mailto:orion@nwra.com <mailto:orion@nwra.com>>> wrote:
> >
> >     Can anyone give me some details about the
> Urlhaus.Malware.452652-9766253-0
> >     signature?  We're seeing following URLs trigger it:
> >
> >     https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> >     <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>>
> >   
>  https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>
> >   
>  <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>>
> >   
>  https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt>
> >   
>  <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt>>
> >   
>  https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>
> >   
>  <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>>
> >   
>  https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>
> >   
>  <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>>
> >
> >     Which seems to be the online update URLs for the urlhaus filter.  Does
> >     ClamAV
> >     deem urlhaus a bad actor?
> >
> >     Thanks,
> >       Orion
> >
> >     --
> >     Orion Poplawski
> >     Manager of NWRA Technical Systems          720-772-5637
> >     NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> >     3380 Mitchell Lane                       orion@nwra.com
> <mailto:orion@nwra.com>
> >     <mailto:orion@nwra.com <mailto:orion@nwra.com>>
> >     Boulder, CO 80301                 https://www.nwra.com/
> <https://www.nwra.com/>
> >     <https://www.nwra.com/ <https://www.nwra.com/>>
> >
> >     _______________________________________________
> >
> >     clamav-users mailing list
> >     clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> <mailto:clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
> >     https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >     <https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> >
> >
> >     Help us build a comprehensive ClamAV guide:
> >     https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
> >     <https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>>
> >
> >     http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>
> >     <http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
> >
> > http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion@nwra.com
> <mailto:orion@nwra.com>
> Boulder, CO 80301                 https://www.nwra.com/
> <https://www.nwra.com/>
>
>


--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
Orion, I haven't been able to reproduce the FP with
https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc.

<https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>

If you could send me the file that alerts with
Urlhaus.Malware.364328-9787819-0 I could look into it.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Thu, Jan 7, 2021 at 12:00 PM Orion Poplawski <orion@nwra.com> wrote:

> Lilia -
>
> Virus database is updated daily and updated last night. Still seeing one
> this morning:
>
> Virus Urlhaus.Malware.364328-9787819-0:
>
>
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> :
> 1 Time(s)
>
> Though that is a different signature.
>
> Orion
>
> On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Those NBD signatures were updated at the beginning of the week and
> should not
> > FP anymore. Please update your ClamAV db and let us know if the issue
> persists.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> >
> > On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <orion@nwra.com
> > <mailto:orion@nwra.com>> wrote:
> >
> > Lilia -
> >
> > Thanks for the response. We're seeing some others getting
> triggered as
> > well:
> >
> > Virus Urlhaus.Malware.490516-9766015-0:
> > 10.21.2.5
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>:
> 2 Time(s)
> > 10.21.2.5
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >:
> > 2 Time(s)
> > 10.21.2.5
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> > 10.21.2.5
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> > 10.21.2.5
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> >
> > Virus Urlhaus.Malware.161756-8797115-0:
> > 10.10.20.7
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> > 10.11.1.3
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> >
> >
> > Orion
> >
> > On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > > Hi Orion!
> > >
> > > Thank you for reporting this. URLhaus is a partner that generates
> a list of
> > > ClamAV signatures to target malicious URLs. Signature
> > > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside
> HTML
> > > files, which is why it is alerting on the URLs you mentioned. We
> found these
> > > FPs some weeks ago and added an extra check on new ClamAV
> signatures to
> > > prevent them from alerting on legitimate URLhaus content. We are
> currently
> > > updating older ClamAV signatures to ensure they don't FP on
> non-malicious
> > > HTML files.
> > >
> > > Best regards,
> > >
> > > Lilia Gonzalez
> > > Malware Research Team
> > > Cisco Talos
> > >
> > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion@nwra.com
> > <mailto:orion@nwra.com>
> > > <mailto:orion@nwra.com <mailto:orion@nwra.com>>> wrote:
> > >
> > > Can anyone give me some details about the
> > Urlhaus.Malware.452652-9766253-0
> > > signature? We're seeing following URLs trigger it:
> > >
> > >
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>>
> > >
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >>
> > >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >>
> > >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >>
> > >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >>
> > >
> > > Which seems to be the online update URLs for the urlhaus
> filter. Does
> > > ClamAV
> > > deem urlhaus a bad actor?
> > >
> > > Thanks,
> > > Orion
> > >
> > > --
> > > Orion Poplawski
> > > Manager of NWRA Technical Systems 720-772-5637
> > > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > > 3380 Mitchell Lane orion@nwra.com
> > <mailto:orion@nwra.com>
> > > <mailto:orion@nwra.com <mailto:orion@nwra.com>>
> > > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> > > <https://www.nwra.com/ <https://www.nwra.com/>>
> > >
> > > _______________________________________________
> > >
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net <mailto:
> clamav-users@lists.clamav.net>
> > <mailto:clamav-users@lists.clamav.net <mailto:
> clamav-users@lists.clamav.net>>
> > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>>
> > >
> > > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>>
> > >
> > >
> > > _______________________________________________
> > >
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net <mailto:
> clamav-users@lists.clamav.net>
> > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > >
> > > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> >
> >
> > --
> > Orion Poplawski
> > Manager of NWRA Technical Systems 720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane orion@nwra.com
> > <mailto:orion@nwra.com>
> > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> >
> >
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
>
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 [ In reply to ]
Hi Orion,

Apologies for taking too long to respond. After some tests I was able to
reproduce the FPs and target type 3 LDB signatures for Urlhaus have been
updated and published and should not alert on legitimate files anymore.
Please update your ClamAV database and if you still have some issues please
let me know.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos



On Tue, Jan 12, 2021 at 12:54 PM Orion Poplawski <orion@nwra.com> wrote:

> Lilia -
>
> Odd, I see it:
>
> # https_proxy= curl -o ublock_origin-1.32.4-an+fx.xpi
> '
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> '
> # clamscan ublock_origin-1.32.4-an+fx.xpi
> ublock_origin-1.32.4-an+fx.xpi: Urlhaus.Malware.364328-9787819-0 FOUND
>
> # clamscan --version
> ClamAV 0.103.0/26046/Mon Jan 11 05:34:14 2021
>
> # clamscan urlhaus-filter-online.txt
> urlhaus-filter-online.txt: Urlhaus.Malware.364328-9787819-0 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8799521
> Engine version: 0.103.0
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.29 MB
> Data read: 0.14 MB (ratio 2.11:1)
> Time: 21.911 sec (0 m 21 s)
> Start Date: 2021:01:12 10:37:52
> End Date: 2021:01:12 10:38:14
>
> Other URLs:
>
> Virus Urlhaus.Malware.364328-9787819-0:
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt:
> 2
> Time(s)
>
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 2 Time(s)
>
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
> I've attached copies.
>
> Orion
>
> On 1/8/21 9:18 PM, Lilia Gonzalez Medina wrote:
> > Orion, I haven't been able to reproduce the FP with
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> .
> >
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >
> >
> > If you could send me the file that alerts with
> > Urlhaus.Malware.364328-9787819-0 I could look into it.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Thu, Jan 7, 2021 at 12:00 PM Orion Poplawski <orion@nwra.com
> > <mailto:orion@nwra.com>> wrote:
> >
> > Lilia -
> >
> > Virus database is updated daily and updated last night. Still
> seeing one
> > this morning:
> >
> > Virus Urlhaus.Malware.364328-9787819-0:
> >
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> >
> > Though that is a different signature.
> >
> > Orion
> >
> > On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> > > Hi Orion!
> > >
> > > Those NBD signatures were updated at the beginning of the week and
> > should not
> > > FP anymore. Please update your ClamAV db and let us know if the
> issue
> > persists.
> > >
> > > Best regards,
> > >
> > > Lilia Gonzalez
> > > Malware Research Team
> > > Cisco Talos
> > >
> > >
> > > On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <orion@nwra.com
> > <mailto:orion@nwra.com>
> > > <mailto:orion@nwra.com <mailto:orion@nwra.com>>> wrote:
> > >
> > > Lilia -
> > >
> > > Thanks for the response. We're seeing some others getting
> > triggered as
> > > well:
> > >
> > > Virus Urlhaus.Malware.490516-9766015-0:
> > > 10.21.2.5
> > >
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>>:
> 2
> > Time(s)
> > > 10.21.2.5
> > >
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >>:
> > > 2 Time(s)
> > > 10.21.2.5
> > >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >>:
> > > 1 Time(s)
> > > 10.21.2.5
> > >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >>:
> > > 1 Time(s)
> > > 10.21.2.5
> > >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> >>:
> > > 1 Time(s)
> > >
> > > Virus Urlhaus.Malware.161756-8797115-0:
> > > 10.10.20.7
> > >
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >
> > >
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >>:
> > > 1 Time(s)
> > > 10.11.1.3
> > >
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >
> > >
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >>:
> > > 1 Time(s)
> > >
> > >
> > > Orion
> > >
> > > On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > > > Hi Orion!
> > > >
> > > > Thank you for reporting this. URLhaus is a partner that
> generates
> > a list of
> > > > ClamAV signatures to target malicious URLs. Signature
> > > > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL
> inside HTML
> > > > files, which is why it is alerting on the URLs you
> mentioned. We
> > found these
> > > > FPs some weeks ago and added an extra check on new ClamAV
> > signatures to
> > > > prevent them from alerting on legitimate URLhaus content. We
> are
> > currently
> > > > updating older ClamAV signatures to ensure they don't FP on
> > non-malicious
> > > > HTML files.
> > > >
> > > > Best regards,
> > > >
> > > > Lilia Gonzalez
> > > > Malware Research Team
> > > > Cisco Talos
> > > >
> > > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <
> orion@nwra.com
> > <mailto:orion@nwra.com>
> > > <mailto:orion@nwra.com <mailto:orion@nwra.com>>
> > > > <mailto:orion@nwra.com <mailto:orion@nwra.com>
> > <mailto:orion@nwra.com <mailto:orion@nwra.com>>>> wrote:
> > > >
> > > > Can anyone give me some details about the
> > > Urlhaus.Malware.452652-9766253-0
> > > > signature? We're seeing following URLs trigger it:
> > > >
> > > >
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>>
> > > >
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> >>>
> > > >
> > >
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >>
> > > >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >>>
> > > >
> > >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >>
> > > >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >>>
> > > >
> > >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >>
> > > >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >>>
> > > >
> > >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >>
> > > >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >>>
> > > >
> > > > Which seems to be the online update URLs for the urlhaus
> > filter. Does
> > > > ClamAV
> > > > deem urlhaus a bad actor?
> > > >
> > > > Thanks,
> > > > Orion
> > > >
> > > > --
> > > > Orion Poplawski
> > > > Manager of NWRA Technical Systems 720-772-5637
> > > > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > > > 3380 Mitchell Lane orion@nwra.com
> > <mailto:orion@nwra.com>
> > > <mailto:orion@nwra.com <mailto:orion@nwra.com>>
> > > > <mailto:orion@nwra.com <mailto:orion@nwra.com>
> > <mailto:orion@nwra.com <mailto:orion@nwra.com>>>
> > > > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> > > <https://www.nwra.com/ <https://www.nwra.com/>>
> > > > <https://www.nwra.com/ <https://www.nwra.com/>
> > <https://www.nwra.com/ <https://www.nwra.com/>>>
> > > >
> > > > _______________________________________________
> > > >
> > > > clamav-users mailing list
> > > > clamav-users@lists.clamav.net
> > <mailto:clamav-users@lists.clamav.net>
> > <mailto:clamav-users@lists.clamav.net <mailto:
> clamav-users@lists.clamav.net>>
> > > <mailto:clamav-users@lists.clamav.net
> > <mailto:clamav-users@lists.clamav.net>
> > <mailto:clamav-users@lists.clamav.net <mailto:
> clamav-users@lists.clamav.net>>>
> > > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> > > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>>>
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>>
> > > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>>>
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>>
> > > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>>>
> > > >
> > > >
> > > > _______________________________________________
> > > >
> > > > clamav-users mailing list
> > > > clamav-users@lists.clamav.net
> > <mailto:clamav-users@lists.clamav.net>
> > <mailto:clamav-users@lists.clamav.net <mailto:
> clamav-users@lists.clamav.net>>
> > > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>>
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>>
> > >
> > >
> > > --
> > > Orion Poplawski
> > > Manager of NWRA Technical Systems 720-772-5637
> > > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > > 3380 Mitchell Lane orion@nwra.com
> > <mailto:orion@nwra.com>
> > > <mailto:orion@nwra.com <mailto:orion@nwra.com>>
> > > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> > > <https://www.nwra.com/ <https://www.nwra.com/>>
> > >
> > >
> >
> >
> > --
> > Orion Poplawski
> > Manager of NWRA Technical Systems 720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane orion@nwra.com
> > <mailto:orion@nwra.com>
> > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> >
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>