hi @ all, i use postfix, amavisd and clamav with urlhaus ndb (for ClamAV) sig from urlhaus.abuse.ch. if i send or receive a mail with a hyperlink - realURL/ displayURL like :
... ... <a href="https:// example-from-urlhaus.[com/link/to/location/">https:// foo-bar-anything-blubb.[com/happy-malware-fakename</a><o:p></o:p></p> ... ... clamav does not recognize this. but, if I place the link directly in the mail body (HTML format) clamav recognizes this: clamd[25845]: /var/amavis/tmp/amavis-20200729T082557-25999-Hy3LWJ3x/parts/p004: URLhaus.421252.UNOFFICIAL FOUND And when i create a yara rule with the link to urlhaus.abuse.ch it detects the badevil-url link without problems. for example: ... LibClamAV debug: FP SIGNATURE: cef114bc2adc4caeaf51f716ba3c1611:923:YARA.spam_subject.UNOFFICIAL LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: YARA.spam_subject.UNOFFICIAL found you can tell what I'm doing wrong? BR, Bert _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
