Hi,

Was wondering what "safebrowsing.cvd" on the ClamAV web site was, and why it isn't auto-downloaded in ClamWin (will it be in a future version?)

Thank you!

The Safebrowsing signatures consist of web sites that have been rated as "bad." They are prepared from another party, but ClamAV is making them available for ClamAV users who have configured their copy of ClamAV to use them. They are not available for ClamWin users. They would not do much good, as ClamWin is not a real-time AV.

You can get similar protection from the ClamAV Hosts file from Malware Patrol. You download it and replace your Windows Hosts file in the System32 folder with it, and it will not let you visit any of the "bad" sites. You should download the new Hosts file at least once a week. Most of the real-time AVs now have some sort of website protection.

Malware writers change web sites often (sometimes hourly), and the AVs have trouble keeping up with them, so "bad" website protection is not as good as you think. You probably do just as good by keeping your AV updated.

Regards,

So it has the hashes for the HTML, JS, etc. files belonging to these Web sites, and in order to work it'd have to scan browser cache files (or by doing "File->Save Page As" on these bad sites)? Browsers have their own phishing lists anyway, so I'd imagine real-time scanning of the cache files would be pointless, wouldn't it?

I have other security-related software (including MSSE) running realtime, with ClamWin set to scan memory hourly (the scan is set to an empty dummy folder with "Scan Programs Loaded In Computer Memory" checked).
I'd imagine doing this would only cover, e.g., firefox.exe right?



For years I've been using Spybot S&D's "Immunize" feature for the hosts file (it also modifies browser settings with the same blacklist). I also use Firefox's Adblock Plus (with more blacklists and ABP's new sleazelist hacked off ) I've found this combination to be very effective.

As for MalwarePatrol's signatures, recently I installed Win7 and didn't know that the ClamSup page was permanently down, e-mailed SaneSecurity about it and they said the owner disappeared and let the site expire. Until I hack something up I've just been downloading their signatures manually once a day.

The Safebrowsing sigs consist of merely the URL of "bad" websites. Browsers now have similar protection, so there is probably a lot of duplication there. What is needed for web protection is something to prevent process injection and redirection to web sites with brand new, undetected malware delivered with drive-by downloads.

A ClamWin memory scan will only scan active memory, and then only after the fact, so an hourly memory scan is probably a bit too much. If a virus hits you, it will probably no longer be in memory, and it will likely be in the %appdata% folder (primary user folder for Windows XP) and/or the system32\drivers folder. Plus, it may be protected by a rootkit.

Regards,

So Safebrowsing sigs would mark a file (like an exported html/opml) with the plain text "www.badsite.com" in it?



Good point about key folders. Doing them all though all day long would be slow and a waste of time. Will play with different ideas until I find a good formula.

Yes--most "bad" websites are identified by their URL. There was some talk a year or so ago about developing some website protection for ClamWin, but it would not do much good until/unless it does it in real-time.

The website protection offered by the major browsers is probably just about as good as any of the additional signatures offered. Google has a "bad" website API that is used a lot. Sophisticated malware will change its websites often via automated tools, and the AV industry just can't keep up because it takes a certain amount of time to work the "bad" website databases. The use of the Cloud by AVs is an attempt to keep up.

Regards,