[clamav-users] Custom clamav rule to block exe and scr files in archive.
Steve Basford
steveb_clamav at sanesecurity.com
Thu Feb 5 09:11:16 UTC 2015
> I created exe_in_archive.cdb file in clamav database directory, that
> contains:
> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
For got to add that the above sig, as you are using a *wildcard*
ContainerType, means that any exe in the following types will be blocked:
ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ,
CL_TYPE_CAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR,
CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC)
So, using CL_TYPE_MAIL will hit a url/filename mentoned in an email too,
which might not be a bad thing but though I'd mention it.
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
More information about the clamav-users
mailing list