Shouldn't those signatures arrive via clamav? I presume you have submitted them there.
I see the patterns are:ScanMailX.Blocked.Zip_exe:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$:*:*:*:*:*:*ScanMailX.Blocked.Zip_zip:*:*:\.(zip|tar|tgz|taz|z|gz|rar)$:*:*:*:*:*:*I suspect that the latter pattern would cause some disruption of "normal" traffic. I don't think this is really a "signature" of Ransomware/CTB-Locker.
there are also unofficial clamav signatures, most of them are used to limit spam..see http://blog.redbranch.net/2010/09/24/enhancing-clamav-with-extra-signatures/they are available also in rpm package.. I'm using clamav-unofficial-sigs on my server and other 3..
Can you give me a link to get that RPM?
It's available from the epel repository (For SME Server 9 at least)yum install clamav-unofficial-sigs --enablerepo=epel