Freshclam Safebrowsing enabled for SA

[Brent Clark <br...@gmail.com>]

Good days Guys

Just want to pick the communities brain for a second.

Does anyone use Mail::SpamAssassin::Plugin::GoogleSafeBrowsing or better 
enable 'SafeBrowsing Yes' to freshclams configuration file?

I see SafeBrowsing is a blacklist service provided by Google that 
provides lists of URLs for web sites that contain malware or phishing 
content.

What was your experience with mail containing malware or phishing content.

Many thanks.

Regards
Brent

Re: Freshclam Safebrowsing enabled for SA

["Kevin A. McGrail" <km...@apache.org>]

On 6/13/2019 7:58 AM, Brent Clark wrote:
> Good day Guys
>
> Some time has pass, and I was hoping to follow up with the community
> if anyone has tested and / or tried Safebrowsing. Or has an opinion on
> Safebrowsing.
>
> I enabled it, and I so far I have not picked up any false positives
> for mail.
>
> What actually reminded me of Safebrowsing, is I am testing Proxmox's
> mailgateway solution (i.e.
> https://www.proxmox.com/en/proxmox-mail-gateway). and one got my
> attention is, SafeBrowsing is on.
>
> Regards
> Brent Clark 
I'm afraid I haven't had the time I wanted to do on this.  Thanks for
your feedback though!

Re: Freshclam Safebrowsing enabled for SA

[Brent Clark <br...@gmail.com>]

Good day Guys

Some time has pass, and I was hoping to follow up with the community if 
anyone has tested and / or tried Safebrowsing. Or has an opinion on 
Safebrowsing.

I enabled it, and I so far I have not picked up any false positives for 
mail.

What actually reminded me of Safebrowsing, is I am testing Proxmox's 
mailgateway solution (i.e. 
https://www.proxmox.com/en/proxmox-mail-gateway). and one got my 
attention is, SafeBrowsing is on.

Regards
Brent Clark


On 2019/04/24 09:54, Brent Clark wrote:
> 
> 
> On 2019/04/23 17:07, Kevin A. McGrail wrote:
>> Anyway, I was going to try and run a second daemon or look at hits for
>> Safebrowsing.<something> as a method for scoring, not blocking.  The
>> listing and delisting policies are unclear to me and I think there is a
>> good potential for FPs.
>>
>>
>> Regards,
>> KAM
> 
> Good day Kevin
> 
> Would you mind sharing your experience and findings with the community?
> 
> Regards
> Brent

Re: Freshclam Safebrowsing enabled for SA

[Pedro David Marco <pe...@yahoo.com>]

 Sorry, my mistake.. excuse me!
i meant:
The difference between both versions is just "time": latest URLs updates take up from hours to some daysto go from the the "good" DB to the public DB

Pedro.
  

Re: Freshclam Safebrowsing enabled for SA

[Pedro David Marco <pe...@yahoo.com>]

 I have played long with this and IMMO do not put your expectations too high...
Google has two versions of the SafeBrowsing DB. The public one: the one youcan download with the Google API and used by Clam as stated by Kevin, and a secondone, used by Chrome and some security vendors (i guess by paying).
The difference between both versions is just "time": latest URLs updates take up from hours to some daysto go from the public DB to the "good" one.
Not happy enough with that, Rob McEwen fears come true... Checks are done by removingthe least significant part of each URLs one by one... so a complet phishing  URL willmatch as well as its  domain does!
There is a perl module (thanks to Julien Sobrier) you can use for a SA plugin...https://metacpan.org/pod/Net::Google::SafeBrowsing4    
I have tested it and works ok but is pretty slow since a simple URL generates many querys(becasue it works as Google suggests: removing the least signifcat part and trying again, and again, and...)
Ken, Kevin, maybe it would be a good idea to have a SA plugin to use it if we modify the code to check "only"the full URL...
Regards,
Pedro.

Re: Freshclam Safebrowsing enabled for SA

[Brent Clark <br...@gmail.com>]

On 2019/04/23 17:07, Kevin A. McGrail wrote:
> Anyway, I was going to try and run a second daemon or look at hits for
> Safebrowsing.<something> as a method for scoring, not blocking.  The
> listing and delisting policies are unclear to me and I think there is a
> good potential for FPs.
> 
> 
> Regards,
> KAM

Good day Kevin

Would you mind sharing your experience and findings with the community?

Regards
Brent

Re: Freshclam Safebrowsing enabled for SA

[Rob McEwen <ro...@invaluement.com>]

On 4/23/2019 11:07 AM, Kevin A. McGrail wrote:
> I was going to try and run a second daemon or look at hits for
> Safebrowsing.<something> as a method for scoring, not blocking.  The
> listing and delisting policies are unclear to me and I think there is a
> good potential for FPs.


Probably a nice scoring option - So like Kevin, I'd caution against 
using this for blocking or high scoring. Why? Because in recent years 
there has been an epidemic of the following two things:

(1) website compromised - hacker installed malicious content

(2) email account on the mail server compromised - spammer is sending 
email from that server

HOWEVER - MOST of the time ONLY 1 of these things happened, NOT both. 
But the Safebrowsing database is mainly focused on the website being 
compromised. Therefore, this rule is likely fantastic when it comes to 
hits on content in the body of the message, particularly URLs linking to 
malicious content on hijacked websites. But if/when this instead has 
hits on things like ONLY domain name (in the FROM address or elsewhere) 
- then it might cause a significant number of FPs if/when it hits stuff 
like that.

I'm not very familiar with how this works when implemented in ClamAv - 
so, for example, if this only has hits on entire URLs going all the way 
to the malicious content (not merely referencing the domain or home 
page) - then my FP concerns are likely overstated and this really isn't 
going to cause many FPs.

So I'm just mentioning this so others will be aware and know what to 
look for when testing this.

-- 
Rob McEwen

Re: Freshclam Safebrowsing enabled for SA

[Daniele Duca <du...@staff.spin.it>]

On 23/04/19 17:07, Kevin A. McGrail wrote:

> On 4/23/2019 6:18 AM, Brent Clark wrote:
>> Just want to pick the communities brain for a second.
>>
>> Does anyone use Mail::SpamAssassin::Plugin::GoogleSafeBrowsing or
>> better enable 'SafeBrowsing Yes' to freshclams configuration file?
>>
>> I see SafeBrowsing is a blacklist service provided by Google that
>> provides lists of URLs for web sites that contain malware or phishing
>> content.
>>
>> What was your experience with mail containing malware or phishing
>> content.

Hello,

sorry to hijack the thread, but while we are talking about ClamAV 
signatures, I'd like to point you also to these: 
https://urlhaus.abuse.ch/api/#clamav

It's a very lightweight set of URLs knowing of distributing Emotet. They 
get hits on my systems while other signatures and AV engines fail, so 
you may want to give them a try

Daniele

Re: Freshclam Safebrowsing enabled for SA

["Kevin A. McGrail" <km...@apache.org>]

On 4/23/2019 6:18 AM, Brent Clark wrote:
> Just want to pick the communities brain for a second.
>
> Does anyone use Mail::SpamAssassin::Plugin::GoogleSafeBrowsing or
> better enable 'SafeBrowsing Yes' to freshclams configuration file?
>
> I see SafeBrowsing is a blacklist service provided by Google that
> provides lists of URLs for web sites that contain malware or phishing
> content.
>
> What was your experience with mail containing malware or phishing
> content. 


Well, my experience over the past month has been pretty bad.  ClamAV lit
some signatures for Phishtank and it pretty much killed performance. 
See the ClamAV mailing list for more info.

Additionally, I just on the 18th started looking at this ClamAV
feature.  For those who aren't aware:

ClamAV 0.95 introduced support for Google Safe Browsing database.

The Safebrowsing database is packed inside a CVD file and distributed
through our mirror network. This feature is disabled by default on all
installations and should be enabled with extreme care.

All signatures provided by Google Safe Browsing Database will be
prefixed with the Safebrowsing tag. If ClamAV reports
Safebrowsing.<something> FOUND, it means that the advisory was provided
by Google and not by ClamAV Virus database.

Please note that such reports DO NOT necessarily mean that the data
scanned contains some malware. You should treat such data as a potential
risk, that is a suspicious source of malware.

If you want to know more about the potentially dangerous data matched by
the signature, you should visit http://www.antiphishing.org (for
phishing warnings) or http://www.stopbadware.org (for malware warnings).

In order to enable this feature, you must add SafeBrowsing Yes to
freshclam.conf.

There is no option in clamd.conf. If the engine finds Google Safe
Browsing files in the database directory, ClamAV will enable safe
browsing. To turn it off you need to update freshclam.conf and remove
the safebrowsing files from the database directory before restarting clamd.


Anyway, I was going to try and run a second daemon or look at hits for
Safebrowsing.<something> as a method for scoring, not blocking.  The
listing and delisting policies are unclear to me and I think there is a
good potential for FPs.


Regards,
KAM