[clamav-users] Custom clamav rule to block exe and scr files in archive.

polloxx polloxx at gmail.com
Thu Feb 5 08:31:07 EST 2015


We use amavisd to quarantaine all MS executable files, including zipped
files.
I asked a similar question in amavis. ML at 4/4/13. Replies from the
members were quite helpful:

<q>
First check if .exe extension is not commented out in
$banned_filename_re definition, then check that 'zip' is not commented
out in @decoders definition in your amavisd.conf. This is enough.
"Filename banning" is in fact a misnomer because when you switch on
banning files with .exe extension, the file content is also checked, so
if an executable has for example a .pdf extension, it will be banned.
</q>

On Thu, Feb 5, 2015 at 2:22 PM, Benny Pedersen <me at junc.eu> wrote:

> Virgo Pärna skrev den 2015-02-05 13:59:
>
>  Well, foxhole is something I never thought to Google:)
>>
>
> +1
>
>  Clamav does unpack archives recursively up to 16 levels (by default).
>>
>
> yep, it just create another problem, zip bomps
>
>  For clamd it is set with MaxRecursion configuration value, for clamscan
>> with  --max-recursion=N command line switch. So that rule matches still.
>>
>
> unless the scr is nasted 17 times in zip
>
> so i think foxhole need to test if zip contains another zip, when
> --max-recursion=1
>
>  And I do doubt, that such viruses are hidden deeper. I would at
>> least think, that odds of users accidentally executing such file would
>> decrease with deeper nesting.
>>
>
> if just end users did not press to see attachment from unknown senders, it
> would be less of a problem, and if microsoft blocks installers or exe files
> from unknown signers when users running administrator mode, it would make a
> big diffrence
>
> i try to defend developpers to not create clamav as a elf installer :=)
>
> there is lots of such badnees already
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list