Hello,
I got a hit on my clamav squid proxy that has the ASL clamav rules installed.
Specifically this:
ASL.MalwareBlacklist.flavors.me.UNOFFICIAL FOUND
Does anyone know where to find information on what exactly that means? I found some posting which suggested it means that a host tried to contact an IP that is on a malware blacklist. Is that correct?
Here is the entry from the rule file:
ASL-blacklist.ldb:ASL.MalwareBlacklist.flavors.me;Target:0;(0=0)&(1=0)&(2=0)&(3|4);41746f6d69636f72702e636f6d205741462052756c65733a;61746f6d69636f72702e636f6d207761662072756c65733a;6f737365632068696473206e6f74696669636174696f6e2e;3a2f2f{-255}2e666c61766f72732e6d65;3a2f2f666c61766f72732e6d65
Does anyone know how to make sense of that? are those hashes of known malware files?
Thanks for any help anyone can provide.
Eric
Understanding Malware Blacklist
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Understanding Malware Blacklist
Thank you for the question. So first, thats a pretty old signature, so you need to get your rules up to date.
And yes, those rules look for known malware sites/domains in a URL (based on what our honeypots were seeing at the time the domain was added). They are automatically generated from our honeypots and automatically removed when they are no longer malicious. So you want to make sure you are only using the latest signatures.
https://www.atomicorp.com/wiki/index.ph ... ged_out.3F
And yes, those rules look for known malware sites/domains in a URL (based on what our honeypots were seeing at the time the domain was added). They are automatically generated from our honeypots and automatically removed when they are no longer malicious. So you want to make sure you are only using the latest signatures.
https://www.atomicorp.com/wiki/index.ph ... ged_out.3F
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone