[Mimedefang] Blocking binaries by file content

Kenneth Porter shiva at sewingwitch.com
Wed Sep 22 20:10:29 EDT 2021


I'm already running ClamAV and I block on file extensions. Is there any way 
to recognize executables by content and block them? I just saw this article 
on a coming attack vector through Windows Subsystem for Linux (WSL) in 
which the payload is an ELF binary that then downloads and spawns a Windows 
binary.

<https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/>

The hard part would be defining "executable" but that could be extensible.





More information about the MIMEDefang mailing list