[clamav-users] Custom clamav rule to block exe and scr files in archive.

Steve Basford steveb_clamav at sanesecurity.com
Thu Feb 5 04:11:16 EST 2015


> I created exe_in_archive.cdb file in clamav database directory, that
> contains:
> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*

For got to add that the above sig, as you are using a *wildcard*
ContainerType, means that any exe in the following types will be blocked:

ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ,
CL_TYPE_CAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR,
CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC)

So, using CL_TYPE_MAIL will hit a url/filename mentoned in an email too,
which might not be a bad thing but though I'd mention it.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com




More information about the clamav-users mailing list