Hot to ban "::whitespace::{4,}.(com|exe)" in archives?
Ralf Hildebrandt
Ralf.Hildebrandt at charite.de
Mon Jun 17 13:04:53 CEST 2013
* Cedric Knight <cedric at gn.apc.org>:
> On 17/06/13 08:39, Ralf Hildebrandt wrote:
> >Currently my users are receiving trojans camouflaged as legal threats,
> >a zip containing a "legal_document.doc .exe"
> >
> >How can I block those?
>
> 1) ClamAV will do it.
Well, it doesm't do that here. Which pattern would block this?
> Or:
> 2) What's your $banned_filename_re ?
# block certain double extensions anywhere in the base name
qr'\.[^./]{3}\.(exe|vbs|pif|scr|bat|cmd|com|dll)\.?$'i,
qr'^message/partial$'i,
[ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any type in Unix-compressed
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any type in Unix archives
[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any type within such archives
qr'.\.(386|bat|chm|cpl|cmd|com|do|exe|hta|jse|lnk|msi|ole|pif|reg|rm|scr|shb|shm|sys|vbe|vbs|vxd|xl|xsl)$'i,
# banned extension - CHARITE
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
More information about the amavis-users
mailing list