[clamav-users] Joomla Templates - False Possitive
Steve Basford
steveb_clamav at sanesecurity.com
Wed Sep 17 13:14:16 UTC 2014
On Wed, September 17, 2014 1:53 pm, James Meason wrote:
> Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND)
Hi James,
ClamAV team have created a signature which helps block double attachments,
in much the same way that the Sanesecurity foxhole sigs have been
doing for a while now.
However, I think they'd gone slightly overboard...
here's the sig...
daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([
_.-](7z|avi
|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t
ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
_.-]*\.(action|air|apk|app|as|awk|bin|c
ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh
|swf):*:*:*:*:*:*
foxhole_filename.cdb will do a similar job, but has been made as flexable
as possible for the end_user to whitelist for extension type and only
contains double extensions that have been actually seen carrying malware.
To whitelist...
printf Zip.Suspect.MiscDoubleExtension-zippwd-4 > localign.ign2
restart clamd
Cheers,
Steve
Sanesecurity.com
More information about the clamav-users
mailing list