[clamav-users] Custom clamav rule to block exe and scr files in archive.
Benny Pedersen
me at junc.eu
Thu Feb 5 13:22:08 UTC 2015
Virgo Pärna skrev den 2015-02-05 13:59:
> Well, foxhole is something I never thought to Google:)
+1
> Clamav does unpack archives recursively up to 16 levels (by default).
yep, it just create another problem, zip bomps
> For clamd it is set with MaxRecursion configuration value, for clamscan
> with --max-recursion=N command line switch. So that rule matches
> still.
unless the scr is nasted 17 times in zip
so i think foxhole need to test if zip contains another zip, when
--max-recursion=1
> And I do doubt, that such viruses are hidden deeper. I would at
> least think, that odds of users accidentally executing such file would
> decrease with deeper nesting.
if just end users did not press to see attachment from unknown senders,
it would be less of a problem, and if microsoft blocks installers or exe
files from unknown signers when users running administrator mode, it
would make a big diffrence
i try to defend developpers to not create clamav as a elf installer :=)
there is lots of such badnees already
More information about the clamav-users
mailing list