Discussion:
[clamav-users] zip, rar, jar, ... how to delete all exe's and others files?
(too old to reply)
Ливитин Сергей Юрьевич
2016-04-14 06:48:58 UTC
Permalink
Hi.
Use clamav + spamassassin + postfix.
Use /var/lib/archive.zmd and archive.rmd]

clamav]# more archive.rmd
Block.EXE-rar:0:\.exe$:*:*:*:*:*:*
Block.COM-rar:0:\.com$:*:*:*:*:*:*
Block.VBS-rar:0:\.vbs$:*:*:*:*:*:*
Block.BAT-rar:0:\.bat$:*:*:*:*:*:*
Block.PIF-rar:0:\.pif$:*:*:*:*:*:*
Block.SCR-rar:0:\.scr$:*:*:*:*:*:*
Block.HTA-rar:0:\.hta$:*:*:*:*:*:*
Block.JS-rar:0:\.js$:*:*:*:*:*:*
Block.CMD-rar:0:\.cmd$:*:*:*:*:*:*
Block.CHM-rar:0:\.chm$:*:*:*:*:*:*
Block.CPL-rar:0:\.cpl$:*:*:*:*:*:*
Block.JSP-rar:0:\.jsp$:*:*:*:*:*:*
Block.REG-rar:0:\.reg$:*:*:*:*:*:*
Block.VBE-rar:0:\.vbe$:*:*:*:*:*:*
Block.LNK-rar:0:\.lnk$:*:*:*:*:*:*
Block.DLL-rar:0:\.dll$:*:*:*:*:*:*
Block.SYS-rar:0:\.sys$:*:*:*:*:*:*
Block.WSF-rar:0:\.wsf$:*:*:*:*:*:*
Block.fool.xxx.exe:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:*
Block.fool.xxx.com:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:*

clamav]# more archive.zmd
Block.EXE-zip:0:\.exe$:*:*:*:*:*:*
Block.COM-zip:0:\.com$:*:*:*:*:*:*
Block.VBS-zip:0:\.vbs$:*:*:*:*:*:*
Block.BAT-zip:0:\.bat$:*:*:*:*:*:*
Block.PIF-zip:0:\.pif$:*:*:*:*:*:*
Block.SCR-zip:0:\.scr$:*:*:*:*:*:*
Block.HTA-zip:0:\.hta$:*:*:*:*:*:*
Block.JS-zip:0:\.js$:*:*:*:*:*:*
Block.CMD-zip:0:\.cmd$:*:*:*:*:*:*
Block.CHM-zip:0:\.chm$:*:*:*:*:*:*
Block.CPL-zip:0:\.cpl$:*:*:*:*:*:*
Block.JSP-zip:0:\.jsp$:*:*:*:*:*:*
Block.REG-zip:0:\.reg$:*:*:*:*:*:*
Block.VBE-zip:0:\.vbe$:*:*:*:*:*:*
Block.LNK-zip:0:\.lnk$:*:*:*:*:*:*
Block.DLL-zip:0:\.dll$:*:*:*:*:*:*
Block.SYS-zip:0:\.sys$:*:*:*:*:*:*
Block.WSF-zip:0:\.wsf$:*:*:*:*:*:*
Block.fool.xxx.exe:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:*
Block.fool.xxx.com:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:*

Tried to sent exe-file in rar archive - clamd said "CLEAN" :(
Where is detailed documentation about possibilities of clamav?

Regards
Serg
+7 903 719-29-90
***@itprofservice.ru


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steve Basford
2016-04-14 07:08:31 UTC
Permalink
Post by Ливитин Сергей Юрьевич
Hi.
Use clamav + spamassassin + postfix.
Use /var/lib/archive.zmd and archive.rmd]
Tried to sent exe-file in rar archive - clamd said "CLEAN" :(
Where is detailed documentation about possibilities of clamav?
A few things:

1) .rmd/.zmd databases are obsolete, they are replaced with .cdb

More details:
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf

2) Foxhole databases can be used to sort out most of what you are trying
to do:

http://sanesecurity.com/foxhole-databases/

3) unrar will need to be installed correctly on your system before
these rules will work.

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Kris Deugau
2016-04-14 14:15:38 UTC
Permalink
Post by Steve Basford
1) .rmd/.zmd databases are obsolete, they are replaced with .cdb
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
Does anyone have any examples of valid signatures for the .cdb sigfiles?

I've tried a couple of times to port some of my local .zmd sigs, but I
can't find the right formatting.

In reading the reference file above, I see fields for the archive file
size, compressed file size, expanded size of the file, and a whole bunch
of other details that I don't car about (and so I want to set them to
"whatever"), but based on what I've tried so far that's apparently not
valid.

The only thing I want to match on is the name of the files in the
archive. .zmd and .rmd still work for that.

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Benny Pedersen
2016-04-14 15:18:54 UTC
Permalink
Post by Kris Deugau
Does anyone have any examples of valid signatures for the .cdb
sigfiles?
http://sanesecurity.com/foxhole-databases/
Post by Kris Deugau
"whatever"), but based on what I've tried so far that's apparently not
valid.
yes i have hard to get more info on cdb format files aswell, seems
undokumted as is
Post by Kris Deugau
The only thing I want to match on is the name of the files in the
archive. .zmd and .rmd still work for that.
take one or more of the foxhole databases, and possible if succes share
that signature here, it might be usefull for more then one

i prefer 0day signatures in this wondorfull world of malwares
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...