Understanding Malware Blacklist

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
EricEric
New Forum User
New Forum User
Posts: 1
Joined: Thu Apr 17, 2014 8:12 pm
Location: Gibraltar

Understanding Malware Blacklist

Unread post by EricEric »

Hello,

I got a hit on my clamav squid proxy that has the ASL clamav rules installed.

Specifically this:
ASL.MalwareBlacklist.flavors.me.UNOFFICIAL FOUND

Does anyone know where to find information on what exactly that means? I found some posting which suggested it means that a host tried to contact an IP that is on a malware blacklist. Is that correct?

Here is the entry from the rule file:
ASL-blacklist.ldb:ASL.MalwareBlacklist.flavors.me;Target:0;(0=0)&(1=0)&(2=0)&(3|4);41746f6d69636f72702e636f6d205741462052756c65733a;61746f6d69636f72702e636f6d207761662072756c65733a;6f737365632068696473206e6f74696669636174696f6e2e;3a2f2f{-255}2e666c61766f72732e6d65;3a2f2f666c61766f72732e6d65

Does anyone know how to make sense of that? are those hashes of known malware files?

Thanks for any help anyone can provide.
Eric
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Understanding Malware Blacklist

Unread post by mikeshinn »

Thank you for the question. So first, thats a pretty old signature, so you need to get your rules up to date.

And yes, those rules look for known malware sites/domains in a URL (based on what our honeypots were seeing at the time the domain was added). They are automatically generated from our honeypots and automatically removed when they are no longer malicious. So you want to make sure you are only using the latest signatures.

https://www.atomicorp.com/wiki/index.ph ... ged_out.3F
Post Reply