On 08/06/16 20:59, Chip M. wrote: I was looking more closely at the Foxhole page, and it SOUNDS (to me) like they do _NOT_ block on ".js" file extension, whereas you/Dianne do: More relevant for the ClamAV/Sanesecurity list, hope this isn't looked down upon.
I'm not sure if Steve is on the list but I'll do my best to answer. "This database will block most JavaScript (.js) files within within Zip, Rar files" ... "To help minimise false positives, this database will only scan small sized Zip and Rar files." *** Questions: *1. Could someone clarify whether Foxhole is using some sort of signatures on ".js" files? "The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container/archive files for various filenames/extensions and perform Regular Expressions, on those filenames/extensions." Here's one example rule from foxhole_js.cdb ---8<--- Sanesecurity.Foxhole.JS_Zip_1:CL_TYPE_ZIP:*:\.([Jj][Ss])$:0-512000:*:0:1:*:* ---8<--- cdb files have the following format: VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]] You could adjust rules if needed. Steve is also very helpful and responsive. *2. How did Foxhole perform on the recent campaign with duplicate large zipped js files (e.g. 5 files of 236 kilobytes each)? There was also a campaign with a single large file (e.g. 604 kilobytes), with most of the payload at the end. I suspect both campaigns were attempts to bypass sig based scanners. The js detection was recently upped from 256 kilobytes based on list feedback - as you see the 512 kilobytes it is currently at is the FileSizeInContainer - "usually compressed size". I have had a very positive experience with these signatures over all I'm with Dianne on outright blocking js files, AND making highly selective holes for specific sender/recipient pairs. We can block any JS file with Zips, 7zip, rar, arj, cab... Foxhole.ZIP.JS:CL_TYPE_ZIP:*:\.[Jj][Ss]$:*:*:*:*:*:* Foxhole.7Z.JS:CL_TYPE_7Z:*:\.[Jj][Ss]$:*:*:*:*:*:* Foxhole.RAR.JS:CL_TYPE_RAR:*:\.[Jj][Ss]$:*:*:*:*:*:* Foxhole.ARJ.JS:CL_TYPE_ARJ:*:\.[Jj][Ss]$:*:*:*:*:*:* Foxhole.CAB.JS:CL_TYPE_CAB:*:\.[Jj][Ss]$:*:*:*:*:*:* ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ, CL_TYPE_MSCAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR, CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC) or * to match any of the container types listed here or... BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:* *3. Is the list of file extensions on the Foxhole page complete? http://sanesecurity.com/foxhole-databases/ The page is missing the following (and perhaps others): .acm .ax .dll .drv .efi .mui .ocx .tsp I verified that all of those actually occur and are executable on a Windows7 machine. Those extensions aren't listed within the Foxhole databases, I'll feed this back via their mailing list - might be worth popping along? I recently added the MagicNumber for "old" style doc files, just for files inside zips (when they appeared, as mentioned in my previous post). This could be accomplished with yara rules within ClamAV too - docs on signature creation can be found here https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf Paul -- Paul Stead Systems Engineer Zen Internet
