[clamav-users] Joomla Templates - False Possitive
James Meason
nodnol at hotmail.com
Wed Sep 17 13:22:51 UTC 2014
Hi Steve,
Thanks for your quick reply,
This appears to affect any tar.gz joomla component being installed to Joomla also just for the record...
I will get our linux guy to make that whitelist update..
Will this stop all such double zip uploads from failing for example the .tar.gz?
Thanks again for your help
On 2014-09-17 13:14, Steve
Basford wrote:
>
> On Wed, September 17,
2014 1:53 pm, James Meason wrote:
>
> > Uploaded!
(Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND)
>
> Hi James,
>
> ClamAV team have created
a signature which helps block double attachments,
> in much the same way that
the Sanesecurity foxhole sigs have been
> doing for a while now.
>
> However, I think they'd
gone slightly overboard...
>
> here's the sig...
>
>
daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([
> _.-](7z|avi
>
|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t
>
ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
>
_.-]*\.(action|air|apk|app|as|awk|bin|c
>
ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh
> |swf):*:*:*:*:*:*
>
> foxhole_filename.cdb will
do a similar job, but has been made as flexable
> as possible for the
end_user to whitelist for extension type and only
> contains double
extensions that have been actually seen carrying malware.
>
> To whitelist...
>
> printf
Zip.Suspect.MiscDoubleExtension-zippwd-4 > localign.ign2
> restart clamd
>
> Cheers,
>
> Steve
> Sanesecurity.com
>
>
> http://www.clamav.net/contact.html#ml
>
>
Thankyou for your time.....
God Bless
NodnoL aka James/JamEZ
More information about the clamav-users
mailing list