At 04:07 AM 5/20/2016, RoaringPenguin wrote:
>filename-extension rules that block .js
>inside .zip files.
+1
We also block these scripting related Windows extensions:
.hta
.jse
.vbs
.wsf
Those were originally "pre-emptive", however I've now seen
both ".hta" and ".jse" in the wild (low volume).
*** Question:
Are there any other Windows (or Mac) scripting file extensions?
As an extra layer of defense, We also do content scanning within
all zipped files for terms including (among MANY others):
activexobject
base64_decode
createobject
eval
fromcharcode
savetofile
shell
unescape
wscript
All hits are weighted, and some can be skip-listed.
Plus I recently wrote some "secret sauce" Code that looks for
javascript obfuscations. :)
We've had a very low FP rate on the above, and haven't had any
noticeable user pushback. There have been enough high profile
infections (at least two hospitals), that most endusers have
been grateful and understanding.
>Doing it properly requires a non-trivial amount of coding.
Yes, however it's VERY satisfying Coding. :)
- "Chip"
P.S. As of about 1700 UTC yesterday, I'm seeing significant
volume of zipped macro-encrusted "doc" files.
