The Un-Official Proxomitron Forum

The Un-Official Proxomitron Forum > Proxomitron Filters > Privacy/Security/Spam > Catch Suspicious Extensions [April 21, 2008]
Full Version: Catch Suspicious Extensions [April 21, 2008]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Kye-U

Apr. 21, 2008, 11:49 PM
Code:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] (Out)"
URL = "(^$LST(KBSP))(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|​ p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"

In = TRUE
Out = FALSE
Key = "Content-Disposition: Catch Suspicious Extensions [ku] (In)"
URL = "(^$LST(KBSP))"
Match = "(*filename=$AV(\1.((hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e​ |p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))\2)))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the file below?\n\n\1.\2\n\nHost:\n\h\n\nPath:\n\p\n)"
Replace = "\k"

This will catch any attempt to download files with the following extensions:

hta, eml, exe, hlp, jse, lnk, url, bas, bat, com, cmd, vb, vbe, vbs, scr, shs, pif, pcd, ade, adp, anr, chm, cpl, crt, ins, isp, mdb, mde, msc, msi, msp, mst, wsf, wsh, wsc

I think this will prove valuable against malicious iframe advertisements and any other method of "drive-by downloads". Previously I did not have a Content-Disposition filter. Hopefully all methods of downloading a file are now detected and "caught" with the above two filters! Smile!

Screenshots:

[attachment=117]
Prompt for standard, direct-link downloads

[attachment=118]
Prompt for "content-disposition"-redirected downloads

Toppy

Apr. 24, 2008, 11:02 PM
Hi Kye-U,

Does this mean we will have to bypass Proxo if we want to download some frequently served installation files ending in .EXE ?

Kye-U

Apr. 24, 2008, 11:14 PM
Nope, this filter will allow you to select whether or not you want to allow a download. I'll take a screenshot of the window and add it to the first post Smile!

Toppy

Apr. 24, 2008, 11:23 PM
Thanks a lot !! Smile!

Guest

Aug. 27, 2008, 09:21 PM
Hello Kye-U,
I want to thank you very much for the second filter (content-disposition) that I just discovered today. In fact you're right, some downloads DO NOT trigger your good old Url-killer (suspicious ext.) that I've been using for years and I can say it has saved me a lot of times, many crap sites trying to fool people whith hidden .exe!

But your example (webroot) showed me that crapfiles could come in without triggering the UrlKiller, and be dowloaded by mistake or lack of attention!

So thanks again for that filter and for all the good job you're doing.

Kye-U

Aug. 28, 2008, 03:46 AM
I'm glad you're finding it helpful! I can see how it would prove useful against the new "XP antivirus 2008/9" malware that's floating around Smile! Thank you for your comment!

lnminente

Sep. 23, 2008, 08:19 PM
Very good filters Kye-U! But sometimes they have false positives, here an example:
http://userstyles.org/styles/site/facebook.com

I don't know about header filters, could we improve these filters to not matching http content?

Thanks in advance!
The Un-Official Proxomitron Forum > Proxomitron Filters > Privacy/Security/Spam > Catch Suspicious Extensions [April 21, 2008]
Reference URL's