2018-03-03 23:21 GMT-03:00 Alex <mysqlstud...@gmail.com>: > Hi, > > I'm curious what people use to avoid malware executable being bypassed > because their extensions are typically associated with file types that > are not normally executable? > > https://twitter.com/jepayneMSFT/status/969742842410094593 > > Do you just rely on clamav? Do you do any types of checks of the > actual bytes in the file to confirm they're in line with what that > file type should be? >
Yes Alex! Our URIBL script does a magic number check and other checks, if the file does not have a executable extension, to see if it is a masked executable file: https://www.dropbox.com/s/5aorrijafw5ygk0/uribl.pl?dl=0 The script will send to Clamav any executable file, even masked. If you have any masked executable, that this script ignores, just send it to me because I can improve this check OK? > > How would this even present itself in an email? > If you use our script, no matter how it will present. Just check all attachments on it, including HTML of body.