[clamav-users] Joomla Templates - False Possitive
Douglas Goddard
dgoddard at sourcefire.com
Fri Sep 19 14:48:26 UTC 2014
Do you have some examples of files that are still causing problems?
I removed the .js extension - I'm happy to revise things further if it is
still causing problems.
On Wed, Sep 17, 2014 at 9:22 AM, James Meason <nodnol at hotmail.com> wrote:
>
>
> Hi Steve,
>
>
> Thanks for your quick reply,
>
>
> This appears to affect any tar.gz joomla component being installed to
> Joomla also just for the record...
>
>
> I will get our linux guy to make that whitelist update..
>
>
>
> Will this stop all such double zip uploads from failing for example the
> .tar.gz?
>
>
>
> Thanks again for your help
>
>
>
>
> On 2014-09-17 13:14, Steve
> Basford wrote:
>
> >
>
> > On Wed, September 17,
> 2014 1:53 pm, James Meason wrote:
>
> >
>
> > > Uploaded!
> (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND)
>
> >
>
> > Hi James,
>
> >
>
> > ClamAV team have created
> a signature which helps block double attachments,
>
> > in much the same way that
> the Sanesecurity foxhole sigs have been
>
> > doing for a while now.
>
>
> >
>
> > However, I think they'd
> gone slightly overboard...
>
> >
>
> > here's the sig...
>
> >
>
> >
> daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([
>
> > _.-](7z|avi
>
> >
>
> |bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t
>
>
> >
> ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
>
> >
> _.-]*\.(action|air|apk|app|as|awk|bin|c
>
> >
>
> ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh
>
>
> > |swf):*:*:*:*:*:*
>
> >
>
> > foxhole_filename.cdb will
> do a similar job, but has been made as flexable
>
> > as possible for the
> end_user to whitelist for extension type and only
>
> > contains double
> extensions that have been actually seen carrying malware.
>
> >
>
> > To whitelist...
>
> >
>
> > printf
> Zip.Suspect.MiscDoubleExtension-zippwd-4 > localign.ign2
>
> > restart clamd
>
> >
>
> > Cheers,
>
> >
>
> > Steve
>
> > Sanesecurity.com
>
> >
>
> >
>
> > http://www.clamav.net/contact.html#ml
>
>
> >
>
> >
>
>
>
>
>
> Thankyou for your time.....
> God Bless
> NodnoL aka James/JamEZ
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list