If you happen to look at your firewall logs or perhaps browse your web-traffic with a tool like Fiddler or any other program that logs HTTP information, then you may see some things that sound pretty nasty…
… one of those pretty nasty sounding things is “goog-malware-shavar.”
In particular, the “malware” part of the name is a little worrisome…
But, this is in fact one of those cases where somebody just has a very bad taste in names.
… “goog-malware-shavar” is actually Google’s anti-phishing API.
Why they didn’t use a name like, “goog-anti-phishing” is a good question…
Google uses “goog-malware-shavar” to identify malware, specifically phishing. Google provides data for the anti-phishing feature implemented in Firefox and Google Desktop. These clients get their blacklist and whitelist data using an “update protocol”.
The protocol supports many different blacklists or whitelists.
List names are in the form “provider-type-format”, e.g. “goog-phish-shavar”.
Each item in a list will represent an expression that will match a malicious URL, but the exact format depends on the list type and how the content is used is application-specific.
For the “shavar” list format, hash prefixes are used to reduce bandwidth. A hash prefix is some number of the most significant bytes of a full-length, 256-bit hash.
So, when you see the goog-malware-shavar entry what follows is information relating to the anti-phishing built into the Firefox and Chrome browsers and/or the Google Toolbar.
If that didn’t make sense, whatever. Just know that “goog-malware-shavar” is not evil. It’s not a virus. It’s not malware.
It’s cool bro.