[Mimedefang] Blocking binaries by file content
Giovanni Bechis
giovanni at paclan.it
Thu Sep 23 03:33:44 EDT 2021
On 9/23/21 02:10, Kenneth Porter via MIMEDefang wrote:
> I'm already running ClamAV and I block on file extensions. Is there any way to recognize executables by content and block them? I just saw this article on a coming attack vector through Windows Subsystem for Linux (WSL) in which the payload is an ELF binary that then downloads and spawns a Windows binary.
>
> <https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/>
>
> The hard part would be defining "executable" but that could be extensible.
>
File::LibMagic is the way to go, it will check the file using magic(5) and report info about the file format.
Giovanni
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20210923/e25909f4/attachment-0004.sig>
More information about the MIMEDefang
mailing list