Zero hour (0hr) emailed malware has always been an issue. There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.
The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container files for various filenames and it also allows the use of Regular Expressions, on those filenames.
The three new databases are:
This database will block double extensions of certain common file formats that are contained within Zip/Rar and 7Zip files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs.
Exampe signatures name formats:
Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extention .doc files, within zip files only
Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extention .xls files, within Rar files only
Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extention files that are trying to hide their true extension, within zip files only
This database will block certain commonly known malware filenames within Zip/Rar/7Zip files.
This database will block all files (single and double extensions) within Zip/Rar and 7Zip files that end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs. This will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring.
Currently only .Zip, .7z and .Rar files container are used, however this can be extended to .Arj, .Cab and .Tar files. Please Contact me if that would prove to be useful.
If you wish to whitelist one of the above signatures, you can do this by creating your own foxhole.ign2 file and place it in the ClamAV database folder:
printf "Sanesecurity.Foxhole.7z_avi" > foxhole.ign2
Restart clamd and the Sanesecurity.Foxhole.7z_avi signature will be ignored.