[Mimedefang] Blocking binaries by file content

Kevin A. McGrail kmcgrail at pccc.com
Wed Sep 22 20:40:12 EDT 2021

On 9/22/2021 8:10 PM, Kenneth Porter via MIMEDefang wrote:
> I'm already running ClamAV and I block on file extensions. Is there 
> any way to recognize executables by content and block them? I just saw 
> this article on a coming attack vector through Windows Subsystem for 
> Linux (WSL) in which the payload is an ELF binary that then downloads 
> and spawns a Windows binary.
> <https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/> 
> The hard part would be defining "executable" but that could be 
> extensible. 

You could use some quick code that reads the first few bytes of the file 
attachments and then compares it for certain matches called Magic 
Bytes.  For ELF, it's 0x7F followed by ELF in ASCII (45 4c 46).

You could use that to block any ELF file.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20210922/0035bf1c/attachment.html>

More information about the MIMEDefang mailing list