Here's the signature decoded: # sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig VIRUS NAME: Urlhaus.Malware.452652-9766253-0 FUNCTIONALITY LEVEL: >=48 TARGET TYPE: HTML OFFSET: * DECODED SIGNATURE: aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/
Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 -----Original Message----- From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of Orion Poplawski Sent: Wednesday, December 23, 2020 1:11 PM To: ClamAV users ML <clamav-users@lists.clamav.net> Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0 signature? We're seeing following URLs trigger it: https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-fil ter-online.txt https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d 5d2e877e120/urlhaus-filter-online.txt https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-onl ine.txt https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.tx t Which seems to be the online update URLs for the urlhaus filter. Does ClamAV deem urlhaus a bad actor? Thanks, Orion -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
