On 9/22/2021 8:10 PM, Kenneth Porter via MIMEDefang wrote:
I'm already running ClamAV and I block on file extensions. Is there
any way to recognize executables by content and block them? I just saw
this article on a coming attack vector through Windows Subsystem for
Linux (WSL) in which the payload is an ELF binary that then downloads
and spawns a Windows binary.
<https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/>
The hard part would be defining "executable" but that could be
extensible.
You could use some quick code that reads the first few bytes of the file
attachments and then compares it for certain matches called Magic
Bytes. For ELF, it's 0x7F followed by ELF in ASCII (45 4c 46).
You could use that to block any ELF file.
Regards,
KAM
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
MIMEDefang mailing list [email protected]
https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org
