Print this Post

Foxhole databases

Zero hour (0hr) emailed malware has always been an issue. There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.

These four new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container/archive files for various filenames/extensions and perform Regular Expressions, on those filenames/extensions.

[important]SaneSecurity signatures are a culmination of hard work and commitment to provide Third-Party signatures to the web community that are of professional quality. We are not a company… and producing the signatures and support for the signatures, are carried out in our spare time and at our own cost.
Please consider making a donation[/important]


The four new databases are:


1. foxhole_generic.cdb (low false positive risk)

This database will block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb.


2. foxhole_filename.cdb (low false positive risk)

This database will block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives.

3. foxhole_js.cdb (medium false positive risk)

This database will block most JavaScript (.js) files within within Zip, Rar files.  The current #locky #javascript #malware is using rapidly changing JavaScript files and this database is aimed at blocking these.  To help minimise false positives, this database will only scan small sized Zip and Rar files.


4. foxhole_all.cdb (high false positive risk)

This database will block all files (single and double extensions) within Zip, Rar and 7z archives that contain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh. This will be the most effective database, combined with foxhole_js.ndb but also has the highest risk of false positives, unless you are using scoring.

Currently only Zip, Rar, 7z and Arj archives are used, however this can be extended to Cab and Tar files. Please Contact me if that would prove to be useful.

[notice] If you are trying to block large attachments, you may need to increase the value of MaxZipTypeRcg in clamd.conf, from 1M to 3M[/notice]

Example signature names

Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extension .doc files,
within a Zip file.

Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extension .xls files,
within a Rar file

Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extension files that are trying
to hide their true extension, within a zip file.


If you wish to whitelist one of the above signatures, you can do this by creating your own foxhole.ign2 file and place it in the ClamAV database folder:

[notice]Tech. Note: with .cdb files .UNOFFICIAL has to be added to the signature name (unlike .ndb/.hdb formats)[/notice]


Example 1:

printf “Sanesecurity.Foxhole.7z_avi.UNOFFICIAL” > foxhole.ign2

Restart clamd and the Sanesecurity.Foxhole.7z_avi signature will be ignored.


Example 2:

printf “Sanesecurity.Foxhole.Zip_lib.UNOFFICIAL” > foxhole.ign2

Restart clamd and the Sanesecurity.Foxhole.Zip_lib signature will be ignored.

[notice] TIP: This may be useful for people who want to use foxhole_all.cdb to block all dangerous attachments within archives, however want to make an exception for .lib files, by whitelisting it.[/notice]

Permanent link to this article: http://sanesecurity.com/foxhole-databases/