|Main Archive Page > Month Archives > clamav-users archives|
On 2009-12-11 22:08, Tom Shaw wrote:
> At 9:31 PM +0200 12/11/09, Török Edwin wrote:
>> On 2009-12-11 21:14, Tom Shaw wrote:
>>> At 3:53 PM +0200 12/10/09, Török Edwin wrote:
>> >> On 2009-12-10 15:41, Sundara Kaku wrote:
>> The heuristic phishing detector only works on emails correctly, not
>> websites by design, hence there is no point
>> in running it on downloaded webpages. Why? Because a phishing email
>> contains a link email of banksite ,
>> a phishing website will contain a login form looking similar to a
>> These are very different things.
> True, but we have seen phishing sites that start with a front page
> that does contain links like <a href="...evilurl..."> update you data
> </a> so disabling the heuristic phishing detector would be counter
For the heuristic detector to work both the href target and the displayed text must be/contain a URL.
Also the heuristic detector was tested for false positives (and has a whitelist) only for links commonly used in emails. I think you would have false positive if it'd be enabled for all HTML files.
>> Safebrowsing was only used on links found in emails by design, links
>> found in other HTML files are not checked to improve performance,
>> and because there are other ways to protect web browsers from malicious
>> URLs listed in the safebrowsing DB in near realtime (for example
> Again this doesn't help when scanning a server for planted files etc.
> Possible these should be options for clamdscan and clamscan for file
> based scanning?
Safebrowsing could be, see this bugreport: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1475
Implementing this is currently unplanned.