ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Safebrowsing.cvd?
danq


Joined: 02 Jan 2011
Posts: 10
Reply with quote
Hi,

Was wondering what "safebrowsing.cvd" on the ClamAV web site was, and why it isn't auto-downloaded in ClamWin (will it be in a future version?)

Thank you!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
The Safebrowsing signatures consist of web sites that have been rated as "bad." They are prepared from another party, but ClamAV is making them available for ClamAV users who have configured their copy of ClamAV to use them. They are not available for ClamWin users. They would not do much good, as ClamWin is not a real-time AV.

You can get similar protection from the ClamAV Hosts file from Malware Patrol. You download it and replace your Windows Hosts file in the System32 folder with it, and it will not let you visit any of the "bad" sites. You should download the new Hosts file at least once a week. Most of the real-time AVs now have some sort of website protection.

Malware writers change web sites often (sometimes hourly), and the AVs have trouble keeping up with them, so "bad" website protection is not as good as you think. You probably do just as good by keeping your AV updated.

Regards,
View user's profileSend private message
danq


Joined: 02 Jan 2011
Posts: 10
Reply with quote
GuitarBob wrote:
The Safebrowsing signatures consist of web sites that have been rated as "bad." They are prepared from another party, but ClamAV is making them available for ClamAV users who have configured their copy of ClamAV to use them. They are not available for ClamWin users. They would not do much good, as ClamWin is not a real-time AV.


So it has the hashes for the HTML, JS, etc. files belonging to these Web sites, and in order to work it'd have to scan browser cache files (or by doing "File->Save Page As" on these bad sites)? Browsers have their own phishing lists anyway, so I'd imagine real-time scanning of the cache files would be pointless, wouldn't it?

I have other security-related software (including MSSE) running realtime, with ClamWin set to scan memory hourly (the scan is set to an empty dummy folder with "Scan Programs Loaded In Computer Memory" checked).
I'd imagine doing this would only cover, e.g., firefox.exe right?

guitarbob wrote:
You can get similar protection from the ClamAV Hosts file from Malware Patrol. You download it and replace your Windows Hosts file in the System32 folder with it


For years I've been using Spybot S&D's "Immunize" feature for the hosts file (it also modifies browser settings with the same blacklist). I also use Firefox's Adblock Plus (with more blacklists and ABP's new sleazelist hacked off Very Happy) I've found this combination to be very effective.

As for MalwarePatrol's signatures, recently I installed Win7 and didn't know that the ClamSup page was permanently down, e-mailed SaneSecurity about it and they said the owner disappeared and let the site expire. Until I hack something up I've just been downloading their signatures manually once a day.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
The Safebrowsing sigs consist of merely the URL of "bad" websites. Browsers now have similar protection, so there is probably a lot of duplication there. What is needed for web protection is something to prevent process injection and redirection to web sites with brand new, undetected malware delivered with drive-by downloads.

A ClamWin memory scan will only scan active memory, and then only after the fact, so an hourly memory scan is probably a bit too much. If a virus hits you, it will probably no longer be in memory, and it will likely be in the %appdata% folder (primary user folder for Windows XP) and/or the system32\drivers folder. Plus, it may be protected by a rootkit.

Regards,
View user's profileSend private message
danq


Joined: 02 Jan 2011
Posts: 10
Reply with quote
GuitarBob wrote:
The Safebrowsing sigs consist of merely the URL of "bad" websites. Browsers now have similar protection, so there is probably a lot of duplication there. What is needed for web protection is something to prevent process injection and redirection to web sites with brand new, undetected malware delivered with drive-by downloads.


So Safebrowsing sigs would mark a file (like an exported html/opml) with the plain text "www.badsite.com" in it?

guitarbob wrote:
A ClamWin memory scan will only scan active memory, and then only after the fact, so an hourly memory scan is probably a bit too much. If a virus hits you, it will probably no longer be in memory, and it will likely be in the %appdata% folder (primary user folder for Windows XP) and/or the system32\drivers folder.


Good point about key folders. Doing them all though all day long would be slow and a waste of time. Will play with different ideas until I find a good formula.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
Yes--most "bad" websites are identified by their URL. There was some talk a year or so ago about developing some website protection for ClamWin, but it would not do much good until/unless it does it in real-time.

The website protection offered by the major browsers is probably just about as good as any of the additional signatures offered. Google has a "bad" website API that is used a lot. Sophisticated malware will change its websites often via automated tools, and the AV industry just can't keep up because it takes a certain amount of time to work the "bad" website databases. The use of the Cloud by AVs is an attempt to keep up.

Regards,
View user's profileSend private message
Safebrowsing.cvd?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic