Zero hour (0hr) emailed malware has always been an issue. There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.
The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container/archive files for various filenames/extensions and perform Regular Expressions, on those filenames/extensions.
The three new databases are:
1. foxhole_generic.cdb (low false positive risk)
This database will block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb.
2. foxhole_filename.cdb (low false positive risk)
This database will block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives.
3. foxhole_all.cdb (medium to high false positive risk)
This database will block all files (single and double extensions) within Zip, Rar and 7z archives that contrain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh. This will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring.
Currently only Zip, Rar, 7z and Arj archives are used, however this can be extended to Cab and Tar files. Please Contact me if that would prove to be useful.
Example signature names
Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extension .doc files,
within a Zip file.
Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extension .xls files,
within a Rar file
Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extension files that are trying
to hide their true extension, within a zip file.
If you wish to whitelist one of the above signatures, you can do this by creating your own foxhole.ign2 file and place it in the ClamAV database folder:
printf “Sanesecurity.Foxhole.7z_avi.UNOFFICIAL” > foxhole.ign2
Restart clamd and the Sanesecurity.Foxhole.7z_avi signature will be ignored.
printf “Sanesecurity.Foxhole.Zip_lib.UNOFFICIAL” > foxhole.ign2
Restart clamd and the Sanesecurity.Foxhole.Zip_lib signature will be ignored.