>Doesn't ASSP_AFC take care of this? Yes, but not all are using this plugin. AND - no code is perfect - take care and double check!
Was your company ever attacked by ransomeware - possibly a zero day one? Did you ever restored some terrabyte of server data or several hundreds of PC's. Even 'a high likelihood of false positives' is nothing compared to this. The only way to prevent users from clicking on zero day viruses, is to block them before they reach the user! Always have a backup, that can be restored in a minimum of time! Believe me, I know what I'm talking about. > A zip with a jpg in it is flagged as bad by this? double-extension !!! name.jpg.exe name.jpg.js name.jpg.wsh name.jpg.ps1 >I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of >false positives. Has that not been your experience? I can't find anything positive, if someone is sending me such a double-extension file in a zip or rar. any_string.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe or any_string.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).js And if I can't find any positive on it - there can't be anything false positive. Thomas Von: K Post <nntp.p...@gmail.com> An: For Users of ASSP <assp-user@lists.sourceforge.net> Datum: 27.09.2016 16:53 Betreff: Re: [Assp-user] get more protection from ransomeware I concur with this great tip. I've been using foxhole js and file for a while now with great success. I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of false positives. Has that not been your experience? I don't quite understand the point of your own signatures. Doesn't ASSP_AFC take care of this? Are these signatures better or preferred? I guess I'm uncertain how they work, why you have them (or need / want them) and what the difference between zmd and md files are besides one seeming to work on zip when the other is for rar. And what are they looking for? A zip with a jpg in it is flagged as bad by this? On Tue, Sep 27, 2016 at 10:23 AM, Thomas Eckardt <thomas.ecka...@thockar.com > wrote: > Hi all, > > who ever uses ClamAV with assp should have a look in to the sanesecurity > signatures. > > http://www.sanesecurity.co.uk/databases.htm > > who ever still uses this signatures should have a look in to the > ClamSup.ini file. > There are several lines exluded from the download - what I mean are: > > # > # Foxhole double-extension, filename and dangerous attachment blocking > sigs are disabled by default > # see http://sanesecurity.com/foxhole-databases/ for more details about > their use > # > # SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs [MEDIUM FP RISK] > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y;N;N > # SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs [MEDIUM FP > RISK] > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_ > filename.cdb;N;Y;Y;N;N > # SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK] > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N > > I recommend to use this signatures - simply remove the (-) in front of > 'rsync'. > > I also created my own small signature files 'bad_extenson.zmd' and > 'bad_extenson.rmd' - with the following content: > > bad_extenson.zmd: > > Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:* > Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?| > wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:* > Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:* > Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:* > > bad_extenson.rmd > > Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:* > Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?| > wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:* > Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:* > Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx? > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:* > > Both are old style files and can be used with older ClamAV version. > If you want to create your own signature files, have a look in to the > Foxhole signatures - it is very easy. > > Thomas > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user > > ------------------------------------------------------------------------------ _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
------------------------------------------------------------------------------
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
