get more protection from ransomeware

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

get more protection from ransomeware

Thomas Eckardt/eck
Hi all,

who ever uses ClamAV with assp should have a look in to the sanesecurity
signatures.

http://www.sanesecurity.co.uk/databases.htm

who ever still uses this signatures should have a look in to the
ClamSup.ini  file.
There are several lines exluded from the download - what I mean are:

#
# Foxhole double-extension, filename and dangerous attachment blocking
sigs are disabled by default
# see http://sanesecurity.com/foxhole-databases/ for more details about
their use
#
# SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs [MEDIUM FP RISK]
-rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y;N;N
# SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs [MEDIUM FP
RISK]
-rsync://rsync.sanesecurity.net/sanesecurity;foxhole_filename.cdb;N;Y;Y;N;N
# SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK]
-rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N

I recommend to use this signatures - simply remove the (-) in front of
'rsync'.

I also created my own small signature files 'bad_extenson.zmd' and
'bad_extenson.rmd' - with the following content:

bad_extenson.zmd:

Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*

bad_extenson.rmd

Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*

Both are old style files and can be used with older ClamAV version.
If you want to create your own signature files, have a look in to the
Foxhole signatures - it is very easy.

Thomas


DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------

_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: get more protection from ransomeware

K Post
I concur with this great tip.

I've been using foxhole js and file for a while now with great success.
I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of
false positives.  Has that not been your experience?

I don't quite understand the point of your own signatures.  Doesn't
ASSP_AFC take care of this?  Are these signatures better or preferred?  I
guess I'm uncertain how they work, why you have them (or need / want them)
and what the difference between zmd and md files are besides one seeming to
work on zip when the other is for rar.  And what are they looking for?  A
zip with a jpg in it is flagged as bad by this?







On Tue, Sep 27, 2016 at 10:23 AM, Thomas Eckardt <[hidden email]
> wrote:

> Hi all,
>
> who ever uses ClamAV with assp should have a look in to the sanesecurity
> signatures.
>
> http://www.sanesecurity.co.uk/databases.htm
>
> who ever still uses this signatures should have a look in to the
> ClamSup.ini  file.
> There are several lines exluded from the download - what I mean are:
>
> #
> # Foxhole double-extension, filename and dangerous attachment blocking
> sigs are disabled by default
> # see http://sanesecurity.com/foxhole-databases/ for more details about
> their use
> #
> # SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs [MEDIUM FP RISK]
> -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y;N;N
> # SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs [MEDIUM FP
> RISK]
> -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_
> filename.cdb;N;Y;Y;N;N
> # SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK]
> -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N
>
> I recommend to use this signatures - simply remove the (-) in front of
> 'rsync'.
>
> I also created my own small signature files 'bad_extenson.zmd' and
> 'bad_extenson.rmd' - with the following content:
>
> bad_extenson.zmd:
>
> Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|
> wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*
>
> bad_extenson.rmd
>
> Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|
> wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*
>
> Both are old style files and can be used with older ClamAV version.
> If you want to create your own signature files, have a look in to the
> Foxhole signatures - it is very easy.
>
> Thomas
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> Assp-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>

------------------------------------------------------------------------------

_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: get more protection from ransomeware

Thomas Eckardt/eck
>Doesn't ASSP_AFC take care of this?

Yes, but not all are using this plugin.
AND - no code is perfect - take care and double check!

Was your company ever attacked by ransomeware - possibly a zero day one?
Did you ever restored some terrabyte of server data or several hundreds of
PC's.
Even 'a high likelihood of false positives' is nothing compared to this.
The only way to prevent users from clicking on zero day viruses, is to
block them before they reach the user!
Always have a backup, that can be restored in a minimum of time!

Believe me, I know what I'm talking about.


> A zip with a jpg in it is flagged as bad by this?

double-extension !!!

name.jpg.exe
name.jpg.js
name.jpg.wsh
name.jpg.ps1

>I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of
>false positives.  Has that not been your experience?

I can't find anything positive, if someone is sending me such a
double-extension file in a zip or rar.

 any_string.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe
or
 any_string.(docx?|xlsx?|ppdx?|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).js

And if I can't find any positive on it - there can't be anything false
positive.

Thomas






Von:    K Post <[hidden email]>
An:     For Users of ASSP <[hidden email]>
Datum:  27.09.2016 16:53
Betreff:        Re: [Assp-user] get more protection from ransomeware



I concur with this great tip.

I've been using foxhole js and file for a while now with great success.
I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of
false positives.  Has that not been your experience?

I don't quite understand the point of your own signatures.  Doesn't
ASSP_AFC take care of this?  Are these signatures better or preferred?  I
guess I'm uncertain how they work, why you have them (or need / want them)
and what the difference between zmd and md files are besides one seeming
to
work on zip when the other is for rar.  And what are they looking for?  A
zip with a jpg in it is flagged as bad by this?







On Tue, Sep 27, 2016 at 10:23 AM, Thomas Eckardt
<[hidden email]
> wrote:

> Hi all,
>
> who ever uses ClamAV with assp should have a look in to the sanesecurity
> signatures.
>
> http://www.sanesecurity.co.uk/databases.htm
>
> who ever still uses this signatures should have a look in to the
> ClamSup.ini  file.
> There are several lines exluded from the download - what I mean are:
>
> #
> # Foxhole double-extension, filename and dangerous attachment blocking
> sigs are disabled by default
> # see http://sanesecurity.com/foxhole-databases/ for more details about
> their use
> #
> # SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs [MEDIUM FP
RISK]
>
-rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y;N;N

> # SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs [MEDIUM FP
> RISK]
> -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_
> filename.cdb;N;Y;Y;N;N
> # SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK]
> -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N
>
> I recommend to use this signatures - simply remove the (-) in front of
> 'rsync'.
>
> I also created my own small signature files 'bad_extenson.zmd' and
> 'bad_extenson.rmd' - with the following content:
>
> bad_extenson.zmd:
>
> Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|
> wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*
>
> bad_extenson.rmd
>
> Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|
> wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*
>
> Both are old style files and can be used with older ClamAV version.
> If you want to create your own signature files, have a look in to the
> Foxhole signatures - it is very easy.
>
> Thomas
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
legally
> privileged and protected in law and are intended solely for the use of
the

>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> Assp-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
------------------------------------------------------------------------------
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------

_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: get more protection from ransomeware

Michael Seward-2
In reply to this post by K Post
We use this script to download and use multiple ClamAV definitions:

https://github.com/extremeshok/clamav-unofficial-sigs 

-----Original Message-----
From: K Post [mailto:[hidden email]]
Sent: 27 September 2016 15:51
To: For Users of ASSP
Subject: Re: [Assp-user] get more protection from ransomeware

I concur with this great tip.

I've been using foxhole js and file for a while now with great success.
I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of false positives.  Has that not been your experience?

I don't quite understand the point of your own signatures.  Doesn't ASSP_AFC take care of this?  Are these signatures better or preferred?  I guess I'm uncertain how they work, why you have them (or need / want them) and what the difference between zmd and md files are besides one seeming to work on zip when the other is for rar.  And what are they looking for?  A zip with a jpg in it is flagged as bad by this?







On Tue, Sep 27, 2016 at 10:23 AM, Thomas Eckardt <[hidden email]
> wrote:

> Hi all,
>
> who ever uses ClamAV with assp should have a look in to the
> sanesecurity signatures.
>
> http://www.sanesecurity.co.uk/databases.htm
>
> who ever still uses this signatures should have a look in to the
> ClamSup.ini  file.
> There are several lines exluded from the download - what I mean are:
>
> #
> # Foxhole double-extension, filename and dangerous attachment blocking
> sigs are disabled by default # see
> http://sanesecurity.com/foxhole-databases/ for more details about
> their use # # SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs
> [MEDIUM FP RISK]
> -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y
> ;N;N # SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs
> [MEDIUM FP RISK] -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_
> filename.cdb;N;Y;Y;N;N
> # SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK]
> -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N
>
> I recommend to use this signatures - simply remove the (-) in front of
> 'rsync'.
>
> I also created my own small signature files 'bad_extenson.zmd' and
> 'bad_extenson.rmd' - with the following content:
>
> bad_extenson.zmd:
>
> Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|
> wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
> Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*
>
> bad_extenson.rmd
>
> Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|
> wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
> Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?
> |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*
>
> Both are old style files and can be used with older ClamAV version.
> If you want to create your own signature files, have a look in to the
> Foxhole signatures - it is very easy.
>
> Thomas
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
> legally privileged and protected in law and are intended solely for
> the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> Assp-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
------------------------------------------------------------------------------
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: get more protection from ransomeware

K Post
In reply to this post by Thomas Eckardt/eck
I'm ashamed that I missed the .js / .exe at the end of the regex.  Makes
total sense now!!  And absolutely, I'm in favor of multiple layers of
scanning / protection.  ClamAV, AFC, Exchange scanning, server scanning,
and multiple levels of workstation scanning still isn't enough!

Is there a reason that these 2 sets of definitions couldn't be placed in
the same file and put in the db folder?

Also, can you explain the

Sanesecurity.Blocked.Zip.

prefix?  These aren't Sane definitions, they're yours, so shouldn't we use
something like

ASSP.Blocked.Zip.....

or is having Sanesecurity.Blocked.Zip. required for some reason?   More
curious than anything here.

------------------------------------------------------------------------------

_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: get more protection from ransomeware

K Post
In reply to this post by Michael Seward-2
On Winodws, we use ClamWin/ClamAV Sigupdate 0.8 beta from
http://sanesecurity.com/usage/windows-scripts/
It works perfectly for those sigs from Sane.



On Tue, Sep 27, 2016 at 11:38 AM, Michael Seward <[hidden email]
> wrote:

> We use this script to download and use multiple ClamAV definitions:
>
> https://github.com/extremeshok/clamav-unofficial-sigs
>
> -----Original Message-----
> From: K Post [mailto:[hidden email]]
> Sent: 27 September 2016 15:51
> To: For Users of ASSP
> Subject: Re: [Assp-user] get more protection from ransomeware
>
> I concur with this great tip.
>
> I've been using foxhole js and file for a while now with great success.
> I'm afraid of foxhole_all.cdb, as they say there's a high likelihood of
> false positives.  Has that not been your experience?
>
> I don't quite understand the point of your own signatures.  Doesn't
> ASSP_AFC take care of this?  Are these signatures better or preferred?  I
> guess I'm uncertain how they work, why you have them (or need / want them)
> and what the difference between zmd and md files are besides one seeming to
> work on zip when the other is for rar.  And what are they looking for?  A
> zip with a jpg in it is flagged as bad by this?
>
>
>
>
>
>
>
> On Tue, Sep 27, 2016 at 10:23 AM, Thomas Eckardt <
> [hidden email]
> > wrote:
>
> > Hi all,
> >
> > who ever uses ClamAV with assp should have a look in to the
> > sanesecurity signatures.
> >
> > http://www.sanesecurity.co.uk/databases.htm
> >
> > who ever still uses this signatures should have a look in to the
> > ClamSup.ini  file.
> > There are several lines exluded from the download - what I mean are:
> >
> > #
> > # Foxhole double-extension, filename and dangerous attachment blocking
> > sigs are disabled by default # see
> > http://sanesecurity.com/foxhole-databases/ for more details about
> > their use # # SaneSecurity foxhole_generic.cdb - Foxhole_Generic sigs
> > [MEDIUM FP RISK]
> > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_generic.cdb;N;Y;Y
> > ;N;N # SaneSecurity foxhole_filename.cdb - Foxhole_filename sigs
> > [MEDIUM FP RISK] -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_
> > filename.cdb;N;Y;Y;N;N
> > # SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK]
> > -rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N
> >
> > I recommend to use this signatures - simply remove the (-) in front of
> > 'rsync'.
> >
> > I also created my own small signature files 'bad_extenson.zmd' and
> > 'bad_extenson.rmd' - with the following content:
> >
> > bad_extenson.zmd:
> >
> > Sanesecurity.Blocked.Zip.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?
> > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
> > Sanesecurity.Blocked.Zip.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|
> > wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
> > Sanesecurity.Blocked.Zip.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?
> > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
> > Sanesecurity.Blocked.Zip.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?
> > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*
> >
> > bad_extenson.rmd
> >
> > Sanesecurity.Blocked.Rar.xxx.exe:0:(?i)\.(docx?|xlsx?|ppdx?
> > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.exe$:*:*:*:*:*:*
> > Sanesecurity.Blocked.Rar.xxx.js:0:(?i)\.(docx?|xlsx?|ppdx?|
> > wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.js$:*:*:*:*:*:*
> > Sanesecurity.Blocked.Rar.xxx.wsh:0:(?i)\.(docx?|xlsx?|ppdx?
> > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.wsh$:*:*:*:*:*:*
> > Sanesecurity.Blocked.Rar.xxx.ps1:0:(?i)\.(docx?|xlsx?|ppdx?
> > |wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr)\.ps1$:*:*:*:*:*:*
> >
> > Both are old style files and can be used with older ClamAV version.
> > If you want to create your own signature files, have a look in to the
> > Foxhole signatures - it is very easy.
> >
> > Thomas
> >
> >
> > DISCLAIMER:
> > *******************************************************
> > This email and any files transmitted with it may be confidential,
> > legally privileged and protected in law and are intended solely for
> > the use of the
> >
> > individual to whom it is addressed.
> > This email was multiple times scanned for viruses. There should be no
> > known virus in this email!
> > *******************************************************
> >
> >
> > ------------------------------------------------------------
> > ------------------
> >
> > _______________________________________________
> > Assp-user mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/assp-user
> >
> >
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Assp-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-user
>

------------------------------------------------------------------------------

_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: get more protection from ransomeware

K Post
Never mind on my question on the SaneSecurity.Foxhole prefix.  The example
signature names at http://sanesecurity.com/foxhole-databases/ explain it a
bit, though I don't understand how it works.  No matter.

------------------------------------------------------------------------------

_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: get more protection from ransomeware

admin-at-extremeshok-dot-com
In reply to this post by K Post
I'm the maintainer, if you have any suggestions or enhancements for the
script, please open an issue on the github project page

https://github.com/extremeshok/clamav-unofficial-sigs

__________________________________.    https://eXtremeSHOK.com     .__________________________________

On 27-Sep-16 7:38 PM, K Post wrote:
> We use this script to download and use multiple ClamAV definitions:
> >
> > https://github.com/extremeshok/clamav-unofficial-sigs


------------------------------------------------------------------------------
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user