Foxhole databases

Zero hour (0hr) emailed malware has always been an issue. There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.

Foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container/archive files for various filenames/extensions and perform Regular Expressions, on those filenames/extensions. The foxhole databases also use an .ndb
database for other archives types not covered by a cdb database.

[important]SaneSecurity signatures are a culmination of hard work and commitment to provide Third-Party signatures to the web community that are of professional quality. We are not a company… and producing the signatures and support for the signatures, are carried out in our spare time and at our own cost.
Please consider making a donation[/important]

 

The current foxhole databases are:

 

foxhole_generic.cdb (low false positive risk)

This database will block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb.

foxhole_filename.cdb (low false positive risk)

This database will block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives.

foxhole_js.cdb (medium false positive risk)

This database will block most JavaScript (.js) files within Zip, Rar archived. The current #locky #javascript #malware is using rapidly changing JavaScript files and this database is aimed at blocking these. To help minimise false positives, this database will only scan small sized Zip and Rar files.

foxhole_js.ndb (medium false positive risk)
This database will block ALL JavaScript (.js) files within GZip and Ace archives.
The current #locky #javascript #malware is using rapidly changing JavaScript files and this database is aimed at blocking these.

foxhole_all.cdb (high false positive risk)

This database will block all files (single and double extensions) within Zip, Rar and 7z archives that contain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh. This will be the most effective database, combined with foxhole_js.ndb but also has the highest risk of false positives, unless you are using scoring.

foxhole_all.ndb (high false positive risk)

This database will block all files (single and double extensions) within GZip and Ace archives that contain dangerous filestypes such as: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jse, lib, mde, msd, msp, mst, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf and wsh. This will be the most effective database, combined with foxhole_js.ndb but also has the highest risk of false positives, unless you are using scoring.

foxhole_mail.cdb (high false positive risk)

This database will block any mail that contain a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh. This will be the most effective database, combined with foxhole_js.ndb but also has the highest risk of false positives, unless you are using scoring.

Currently only Zip, Rar, 7z and Arj archives are used, however this can be extended to Cab and Tar files. Please Contact me if that would prove to be useful.

[notice] If you are trying to block large attachments, you may need to increase the value of MaxZipTypeRcg in clamd.conf, from 1M to 3M[/notice]

Example signature names

Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extension .doc files,
within a Zip file.

Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extension .xls files,
within a Rar file

Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extension files that are trying
to hide their true extension, within a zip file.

Excluding/Whitelisting

If you wish to whitelist one of the above signatures, you can do this by creating your own foxhole.ign2 file and place it in the ClamAV database folder:

[notice]Tech. Note: with .cdb files .UNOFFICIAL has to be added to the signature name (unlike .ndb/.hdb formats)[/notice]

 

Example 1:

printf “Sanesecurity.Foxhole.7z_avi.UNOFFICIAL” > foxhole.ign2

Restart clamd and the Sanesecurity.Foxhole.7z_avi signature will be ignored.

 

Example 2:

printf “Sanesecurity.Foxhole.Zip_lib.UNOFFICIAL” > foxhole.ign2

Restart clamd and the Sanesecurity.Foxhole.Zip_lib signature will be ignored.

[notice] TIP: This may be useful for people who want to use foxhole_all.cdb to block all dangerous attachments within archives, however want to make an exception for .lib files, by whitelisting it.[/notice]