clamav-users December 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Phishing detection on downloade

Re: [Clamav-users] Phishing detection on downloaded pages

From: Török Edwin <edwintorok_at_nospam>
Date: Fri Dec 11 2009 - 20:15:18 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


On 2009-12-11 22:08, Tom Shaw wrote:
> At 9:31 PM +0200 12/11/09, Török Edwin wrote:
>> On 2009-12-11 21:14, Tom Shaw wrote:
>>> At 3:53 PM +0200 12/10/09, Török Edwin wrote:
>> >> On 2009-12-10 15:41, Sundara Kaku wrote:
>> The heuristic phishing detector only works on emails correctly, not
>> websites by design, hence there is no point
>> in running it on downloaded webpages. Why? Because a phishing email
>> contains a link email of banksite ,
>> a phishing website will contain a login form looking similar to a
>> banksite.
>> These are very different things.
>
> True, but we have seen phishing sites that start with a front page
> that does contain links like <a href="...evilurl..."> update you data
> </a> so disabling the heuristic phishing detector would be counter
> productive.

For the heuristic detector to work both the href target and the displayed text must be/contain a URL.

Also the heuristic detector was tested for false positives (and has a whitelist) only for links commonly used in emails. I think you would have false positive if it'd be enabled for all HTML files.

>
>> Safebrowsing was only used on links found in emails by design, links
>> found in other HTML files are not checked to improve performance,
>> and because there are other ways to protect web browsers from malicious
>> URLs listed in the safebrowsing DB in near realtime (for example
>> firefox).
>
> Again this doesn't help when scanning a server for planted files etc.
>
>
> Possible these should be options for clamdscan and clamscan for file
> based scanning?

Safebrowsing could be, see this bugreport: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1475

Implementing this is currently unplanned.

Best regards,
--Edwin


Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.