Zero hour (0hr) emailed malware has always been an issue. There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.
The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container/archive files for various filenames/extensions and perform Regular Expressions, on those filenames/extensions.
[important]SaneSecurity signatures are a culmination of hard work and commitment to provide Third-Party signatures to the web community that are of professional quality. We are not a company… and producing the signatures and support for the signatures, are carried out in our spare time and at our own cost.
Please consider making a donation[/important]
The three new databases are:
1. foxhole_generic.cdb (low false positive risk)
This database will block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb.
2. foxhole_filename.cdb (low false positive risk)
This database will block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives.
3. foxhole_js.cdb (medium false positive risk)
4. foxhole_all.cdb (high false positive risk)
This database will block all files (single and double extensions) within Zip, Rar and 7z archives that contrain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh. This will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring.
Currently only Zip, Rar, 7z and Arj archives are used, however this can be extended to Cab and Tar files. Please Contact me if that would prove to be useful.
[notice] If you are trying to block large attachments, you may need to increase the value of MaxZipTypeRcg in clamd.conf, from 1M to 3M[/notice]
Example signature names
Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extension .doc files,
within a Zip file.
Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extension .xls files,
within a Rar file
Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extension files that are trying
to hide their true extension, within a zip file.
If you wish to whitelist one of the above signatures, you can do this by creating your own foxhole.ign2 file and place it in the ClamAV database folder:
[notice]Tech. Note: with .cdb files .UNOFFICIAL has to be added to the signature name (unlike .ndb/.hdb formats)[/notice]
printf “Sanesecurity.Foxhole.7z_avi.UNOFFICIAL” > foxhole.ign2
Restart clamd and the Sanesecurity.Foxhole.7z_avi signature will be ignored.
printf “Sanesecurity.Foxhole.Zip_lib.UNOFFICIAL” > foxhole.ign2
Restart clamd and the Sanesecurity.Foxhole.Zip_lib signature will be ignored.
[notice] TIP: This may be useful for people who want to use foxhole_all.cdb to block all dangerous attachments within archives, however want to make an exception for .lib files, by whitelisting it.[/notice]