||TsoHost||Zemana AntiLogger

«

Print this Post

Foxhole databases

Zero hour (0hr) emailed malware has always been an issue.  There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.

The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container files for various filenames and it also allows the use of Regular Expressions, on those filenames.

The three new databases are:

1.  foxhole_generic.cdb

This database will block double extensions of certain common file formats that are contained within Zip/Rar and 7Zip files.  These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs.

Exampe signatures name formats:

Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extention .doc files, within zip files only

Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extention .xls files, within Rar files only

Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extention files that are trying to hide their true extension, within zip files only

2.  foxhole_filename.cdb

This database will block certain commonly known malware filenames within Zip/Rar/7Zip files.

3.  foxhole_all.cdb

This database will block all files (single and double extensions) within Zip/Rar and 7Zip files that end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbsThis will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring.

Currently only .Zip, .7z and .Rar files container are used, however this can be extended to .Arj, .Cab and .Tar files.  Please Contact me if that would prove to be useful.
 

Excluding/Whitelisting

If you wish to whitelist one of the above signatures, you can do this by creating your own foxhole.ign2 file and place it in the ClamAV database folder:

Example:

printf "Sanesecurity.Foxhole.7z_avi" > foxhole.ign2

Restart clamd and the Sanesecurity.Foxhole.7z_avi signature will be ignored.

p5rn7vb

Permanent link to this article: http://sanesecurity.com/foxhole-databases/

Leave a Reply