|
I use the following command to catch attachments and set the score higher.
It works for most executables but doesn't stop .zip attachments.
score MICROSOFT_EXECUTABLE 4.100 -Bryan
>>> Charles Gregory <[EMAIL PROTECTED]> 03/10/04 10:47AM >>> On Wed, 10 Mar 2004 [EMAIL PROTECTED] wrote: > I'm trying to catch viral attachments, namely those with the extention scr, > exe, bat, com, pif, etc. The Content-Disposition header to catch the > filename. > I tried it, using a working RegEx which I verified in a testing program, but > SA doesn't pick it up. > Is there an example on how to do this? The trick is, only the 'full' rules will check the attachments. (Unwrap the test line): full LOC_DBLEXTONATTACH /name="?[^"]*\.(?:html?|txt|doc|rtf|jpe?g| gif|wpd|pdf|zip)\.(?:pif|exe|com|cmd|bat|scr)/i describe LOC_DBLEXTONATTACH Message attachment has VIRUS-style double ext score LOC_DBLEXTONATTACH 0.5 Note, this is a minimal test and will also catch messages that give examples of the double extension IN the body of a message, and trigger on quoted mime headers with double extensions in bounced mail, etc. - Charles |
------------------------------------------------- This email transmission and any documents, files or previous
email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. ---------------------------------------------------------
