[clamav-users] Custom clamav rule to block exe and scr files in archive.
polloxx at gmail.com
Thu Feb 5 08:31:07 EST 2015
We use amavisd to quarantaine all MS executable files, including zipped
I asked a similar question in amavis. ML at 4/4/13. Replies from the
members were quite helpful:
First check if .exe extension is not commented out in
$banned_filename_re definition, then check that 'zip' is not commented
out in @decoders definition in your amavisd.conf. This is enough.
"Filename banning" is in fact a misnomer because when you switch on
banning files with .exe extension, the file content is also checked, so
if an executable has for example a .pdf extension, it will be banned.
On Thu, Feb 5, 2015 at 2:22 PM, Benny Pedersen <me at junc.eu> wrote:
> Virgo Pärna skrev den 2015-02-05 13:59:
> Well, foxhole is something I never thought to Google:)
> Clamav does unpack archives recursively up to 16 levels (by default).
> yep, it just create another problem, zip bomps
> For clamd it is set with MaxRecursion configuration value, for clamscan
>> with --max-recursion=N command line switch. So that rule matches still.
> unless the scr is nasted 17 times in zip
> so i think foxhole need to test if zip contains another zip, when
> And I do doubt, that such viruses are hidden deeper. I would at
>> least think, that odds of users accidentally executing such file would
>> decrease with deeper nesting.
> if just end users did not press to see attachment from unknown senders, it
> would be less of a problem, and if microsoft blocks installers or exe files
> from unknown signers when users running administrator mode, it would make a
> big diffrence
> i try to defend developpers to not create clamav as a elf installer :=)
> there is lots of such badnees already
> Help us build a comprehensive ClamAV guide:
More information about the clamav-users