[Mimedefang] Blocking binaries by file content
Kenneth Porter
shiva at sewingwitch.com
Wed Sep 22 20:10:29 EDT 2021
I'm already running ClamAV and I block on file extensions. Is there any way
to recognize executables by content and block them? I just saw this article
on a coming attack vector through Windows Subsystem for Linux (WSL) in
which the payload is an ELF binary that then downloads and spawns a Windows
binary.
<https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/>
The hard part would be defining "executable" but that could be extensible.
More information about the MIMEDefang
mailing list