[clamav-users] Clamav and "ransomware"
Vincent Fox
vbfox at ucdavis.edu
Wed Jun 11 22:03:24 UTC 2014
On 6/11/2014 1:19 PM, Alex wrote:
> Hi all,
>
> I'm using clamav-0.98.3 with fedora20 and amavisd-new-2.8.1. I have a few
> questions relating to so-called ransomware (cryptolocker and the like).
>
> Is there a specific category of patterns that are related to catching this
> class of attacks in email? Are they generally just phishing URLs?
>
> I'm also using the safebrowsing, sanesecurity, and securiteinfo patterns.
>
> I'm using clamav with spamassassin and amavisd. I have a few hundred
> whitelist entries, and I'm concerned that some of those accounts may have
> been compromised, and have become the source of these attacks. Is it
> possible to whitelist (whitelist_from_rcvd) yet still scan them for
> viruses/malware? In other words, not make any decisions on whether it's
> spam, but if a virus/malware is found, quarantine it?
>
>
IME the best move is to enable the Foxhole_all database.
Our ransomware infestations, came inside compressed attachments
and contained files like Invoice.XLS.exe. Which our users of course go to
all the trouble to run. Banning dangerous file types both as plain
attachments and inside compressed files, seems to be working for us.
More information about the clamav-users
mailing list