cryptolocker - blocking executables in archive attachments. - ORF Forums

cryptolocker - blocking executables in archive attachments. RSS Back to forum

1

due to cryptolocker, at the moment, I block all archives/zip.7zip.rar.arj etc as a matter of not having choice.

I would love it if

a) password protected archives are forbidden.
b) .zip files are scanned for executables and forbidden if it contains executables, but not otherwise.

right now, I'm also using sophos endpoint, so I run it through the client, yet I can find zip enclosed .exe files in my spam bucket that are not flagged as virus. (even though it probably is, and is a 0 day variant or unknown variant).

so I'm just saying this functionality would be nice to have (as an external agent maybe with 7zip commandline perhaps?)

by christopher.low 5 years ago
2

@christopher.low: If you are using ClamAV you can block these things easily.

In your clamav folder (C:\clamav\db) create four files :

zipexe.zmd & rarexe.rmd
content :
Block.Unwanted.Files:0:.*\.(exe|com)$:*:*:*:*:*:*

encryptedzipexe.zmd and encryptedrarexe.rmd
Block.Unwanted.Encrypted.Files:1:.*\.(exe|com)$:*:*:*:*:*:*

reload clamav daemon

see page 16 of this file - you can add more application extensions if you want
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf?raw=true

by tomasz.sokolowski 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2