Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Hot to ban "::whitespace::{4,}.(com|exe)" in archives?

5 views
Skip to first unread message

Ralf Hildebrandt

unread,
Jun 17, 2013, 3:39:32 AM6/17/13
to
Currently my users are receiving trojans camouflaged as legal threats,
a zip containing a "legal_document.doc .exe"

How can I block those?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hil...@charite.de Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Ralf Hildebrandt

unread,
Jun 17, 2013, 7:04:53 AM6/17/13
to
* Cedric Knight <ced...@gn.apc.org>:
> On 17/06/13 08:39, Ralf Hildebrandt wrote:
> >Currently my users are receiving trojans camouflaged as legal threats,
> >a zip containing a "legal_document.doc .exe"
> >
> >How can I block those?
>
> 1) ClamAV will do it.

Well, it doesm't do that here. Which pattern would block this?

> Or:
> 2) What's your $banned_filename_re ?


# block certain double extensions anywhere in the base name
qr'\.[^./]{3}\.(exe|vbs|pif|scr|bat|cmd|com|dll)\.?$'i,

qr'^message/partial$'i,

[ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any type in Unix-compressed
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any type in Unix archives
[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any type within such archives

qr'.\.(386|bat|chm|cpl|cmd|com|do|exe|hta|jse|lnk|msi|ole|pif|reg|rm|scr|shb|shm|sys|vbe|vbs|vxd|xl|xsl)$'i,
# banned extension - CHARITE

Ralf Hildebrandt

unread,
Jun 17, 2013, 7:23:33 AM6/17/13
to
* Ralf Hildebrandt <Ralf.Hil...@charite.de>:

> # block certain double extensions anywhere in the base name
> qr'\.[^./]{3}\.(exe|vbs|pif|scr|bat|cmd|com|dll)\.?$'i,
>
> qr'^message/partial$'i,
>
> [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any type in Unix-compressed
> [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any type in Unix archives
> [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any type within such archives
>
> qr'.\.(386|bat|chm|cpl|cmd|com|do|exe|hta|jse|lnk|msi|ole|pif|reg|rm|scr|shb|shm|sys|vbe|vbs|vxd|xl|xsl)$'i,
> # banned extension - CHARITE

Meanwhile I took the current default rules and adapted them a bit.

"[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ]" would of course ALLOW what I
want to be blocked...

Now I'm using:

qr'^\.(exe|lha|cab|dll)$', # banned file(1) types

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
[ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(pif|scr)$'i, # banned extensions - rudimentary

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,

qr'^message/partial$'i, # rfc2046 MIME type


# block certain double extensions in filenames
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# banned extension - CHARITE
qr'.\.(386|bat|chm|cpl|cmd|com|do|exe|hta|jse|lnk|msi|ole|pif|reg|rm|scr|shb|shm|sys|vbe|vbs|vxd|xl|xsl)$'i,

But I still don't see how to block "::whitespace::{4,}.(com|exe)" EVEN
WHEN in a (zip)archive
0 new messages