Obsolete Releases > SME 8.x Contribs
Ransomware/CTB-Locker ClamAV signature
Knuddi:
You can be right that its not specific to CTB-Locker, men when we analyzed mails that carried CTB, then 99% of them came through these containers and were not caught at the time of arrival.
So, it might cause some disruption of normal traffic if compressed files in compressed folders are normal - I do know that some backup systems use that.
I all cases, you are correct, it's not a dedicated signature and should be used with this knowledge and caution.
Stefano:
--- Quote from: CharlieBrady on February 18, 2015, 04:13:35 PM ---Shouldn't those signatures arrive via clamav? I presume you have submitted them there.
--- End quote ---
there are also unofficial clamav signatures, most of them are used to limit spam..
see http://blog.redbranch.net/2010/09/24/enhancing-clamav-with-extra-signatures/
they are available also in rpm package.. I'm using clamav-unofficial-sigs on my server and other 3..
Stefano:
--- Quote from: CharlieBrady on February 18, 2015, 04:41:10 PM ---I see the patterns are:
ScanMailX.Blocked.Zip_exe:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$:*:*:*:*:*:*
ScanMailX.Blocked.Zip_zip:*:*:\.(zip|tar|tgz|taz|z|gz|rar)$:*:*:*:*:*:*
I suspect that the latter pattern would cause some disruption of "normal" traffic. I don't think this is really a "signature" of Ransomware/CTB-Locker.
--- End quote ---
I had a ctb-locker as a .cab attachment (windows handles that kind of packages out of the box)
Knuddi:
This signature also handles .cab files.
ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ, CL_TYPE_CAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR,
CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC) or * to match any of the container types listed here
Knuddi:
I have discovered that one of the container models (CL_TYPE_MAIL) actually in some cases would reject mails if there was a compressed item directly in an mail and not the intended compressed in compressed.
I have therefore updated the signatures and suggest you get them again.
The signatures can be downloaded here: http://sme.swerts-knudsen.dk/downloads/ClamAV/ScanMailX.cdb
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version