[clamav-users] Custom clamav rule to block exe and scr files in archive.

Benny Pedersen me at junc.eu
Thu Feb 5 08:22:08 EST 2015


Virgo Pärna skrev den 2015-02-05 13:59:

> Well, foxhole is something I never thought to Google:)

+1

> Clamav does unpack archives recursively up to 16 levels (by default).

yep, it just create another problem, zip bomps

> For clamd it is set with MaxRecursion configuration value, for clamscan
> with  --max-recursion=N command line switch. So that rule matches 
> still.

unless the scr is nasted 17 times in zip

so i think foxhole need to test if zip contains another zip, when 
--max-recursion=1

> And I do doubt, that such viruses are hidden deeper. I would at
> least think, that odds of users accidentally executing such file would
> decrease with deeper nesting.

if just end users did not press to see attachment from unknown senders, 
it would be less of a problem, and if microsoft blocks installers or exe 
files from unknown signers when users running administrator mode, it 
would make a big diffrence

i try to defend developpers to not create clamav as a elf installer :=)

there is lots of such badnees already



More information about the clamav-users mailing list