Zemana AntiLogger

«

Print this Post

Foxhole databases

Zero hour (0hr) emailed malware has always been an issue. There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.

The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container/archive files for various filenames/extensions and perform Regular Expressions, on those filenames/extensions.

Important!

SaneSecurity signatures are a culmination of hard work and commitment to provide Third-Party signatures to the web community that are of professional quality. We are not a company… and producing the signatures and support for the signatures, are carried out in our spare time and at our own cost.
Please consider making a donation

 

The three new databases are:

 

1. foxhole_generic.cdb (low false positive risk)

This database will block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb.

 

2. foxhole_filename.cdb (low false positive risk)

This database will block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives.

 

3. foxhole_all.cdb (medium to high false positive risk)

This database will block all files (single and double extensions) within Zip, Rar and 7z archives that contrain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh. This will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring.

Currently only Zip, Rar, 7z and Arj archives are used, however this can be extended to Cab and Tar files. Please Contact me if that would prove to be useful.

Notice

If you are trying to block large attachments, you may need to increase the value of MaxZipTypeRcg in clamd.conf, from 1M to 3M

Example signature names

Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extension .doc files,
within a Zip file.

Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extension .xls files,
within a Rar file

Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extension files that are trying
to hide their true extension, within a zip file.

Excluding/Whitelisting

If you wish to whitelist one of the above signatures, you can do this by creating your own foxhole.ign2 file and place it in the ClamAV database folder:

Notice

Tech. Note: with .cdb files .UNOFFICIAL has to be added to the signature name (unlike .ndb/.hdb formats)

 

Example 1:

printf “Sanesecurity.Foxhole.7z_avi.UNOFFICIAL” > foxhole.ign2

Restart clamd and the Sanesecurity.Foxhole.7z_avi signature will be ignored.

 

Example 2:

printf “Sanesecurity.Foxhole.Zip_lib.UNOFFICIAL” > foxhole.ign2

Restart clamd and the Sanesecurity.Foxhole.Zip_lib signature will be ignored.

Notice

TIP: This may be useful for people who want to use foxhole_all.cdb to block all dangerous attachments within archives, however want to make an exception for .lib files, by whitelisting it.

m4s0n501

Permanent link to this article: http://sanesecurity.com/foxhole-databases/

Leave a Reply