If you happen to look in firewall logs or perhaps browse with Fiddler running [Fiddler is a transparent proxy that automatically adds itself to the WININET chain which logs requests and responses to allow you to see what is working and what isn't working.] or some other program that logs HTTP information, then you may very well see some things that sound nasty. One of those that seems to appear often on many systems is "goog-malware-shavar." In particular, the "malware" part of the entry may give one pause. But, this is one case where bad-sounding is not the same as bad.

goog-malware-shavar is Google's anti-phishing API.

Google uses it to identify malware, specifically phishing. Google provides data for the anti-phishing feature implemented in Firefox and Google Desktop. These clients get their blacklist and whitelist data using an "update protocol".

The protocol supports many different blacklists or whitelists. List names are in the form "provider-type-format", e.g. "goog-phish-shavar". Each item in a list will represent an expression that will match a malicious URL, but the exact format depends on the list type and how the content is used is application-specific.

For the "shavar" list format, hash prefixes are used to reduce bandwidth. A hash prefix is some number of the most significant bytes of a full-length, 256-bit hash.

So, when you see the goog-malware-shavar entry what follows it is information relating to the anti-phishing built into the Firefox and Chrome browsers and/or the Google Toolbar.

More Information

• Protocolv2Spec - Client specification for the Google Safe Browsing v2.2 protocol
• Google Safe Browsing API
• Mozilla Phishing Protection: Design Documentation