Koozali.org: home of the SME Server

Clamav double ext

Offline swany

  • 2
  • +0/-0
Clamav double ext
« on: December 08, 2015, 12:18:22 PM »
I want block all listed file mask in mail attachment, i add to /var/clamav/my_base.cdb

ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.js:CL_TYPE_MAIL:*:(?i)\.js$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.exe:CL_TYPE_MAIL:*:(?i)\.exe$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.dll:CL_TYPE_MAIL:*:(?i)\.dll$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.vbs:CL_TYPE_MAIL:*:(?i)\.vbs$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.pif:CL_TYPE_MAIL:*:(?i)\.pif$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.com:CL_TYPE_MAIL:*:(?i)\.com$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|js|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|)$:*:*:*:*:*:*

If i sent
АА file_name.js
it's BLOCKED

But if i sent
АА file_name.xlsx_ .js
it's OK

АА - non unicode simbols

Did someone help me?
« Last Edit: December 08, 2015, 12:27:53 PM by swany »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Clamav double ext
« Reply #1 on: December 08, 2015, 01:13:24 PM »
don't mess with clamav rules/signatures, use this contrib:


http://wiki.contribs.org/Clamav_unofficial_sigs

please, read also here:

http://bugs.contribs.org/show_bug.cgi?id=9142