cryptolocker - blocking executables in archive attachments. RSS

1

due to cryptolocker, at the moment, I block all archives/zip.7zip.rar.arj etc as a matter of not having choice.

I would love it if

a) password protected archives are forbidden.
b) .zip files are scanned for executables and forbidden if it contains executables, but not otherwise.

right now, I'm also using sophos endpoint, so I run it through the client, yet I can find zip enclosed .exe files in my spam bucket that are not flagged as virus. (even though it probably is, and is a 0 day variant or unknown variant).

so I'm just saying this functionality would be nice to have (as an external agent maybe with 7zip commandline perhaps?)

by christopher.low 5 years ago
2

@christopher.low: If you are using ClamAV you can block these things easily.

In your clamav folder (C:\clamav\db) create four files :

zipexe.zmd & rarexe.rmd
content :
Block.Unwanted.Files:0:.*\.(exe|com)$:*:*:*:*:*:*

encryptedzipexe.zmd and encryptedrarexe.rmd
Block.Unwanted.Encrypted.Files:1:.*\.(exe|com)$:*:*:*:*:*:*

reload clamav daemon

see page 16 of this file - you can add more application extensions if you want
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf?raw=true

by tomasz.sokolowski 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed