Catch Suspicious Extensions [January 11, 2009]
|
Apr. 21, 2008, 11:49 PM
Post: #1
|
|||
|
|||
Catch Suspicious Extensions [January 11, 2009]
Code: [HTTP headers] This will catch any attempt to download files with the following extensions: hta, eml, exe, hlp, jse, lnk, url, bas, bat, com, cmd, vb, vbe, vbs, scr, shs, pif, pcd, ade, adp, anr, chm, cpl, crt, ins, isp, mdb, mde, msc, msi, msp, mst, wsf, wsh, wsc I think this will prove valuable against malicious iframe advertisements and any other method of "drive-by downloads". Previously I did not have a Content-Disposition filter. Hopefully all methods of downloading a file are now detected and "caught" with the above two filters! Screenshots: filter.jpg (Size: 230.93 KB / Downloads: 1095) Prompt for standard, direct-link downloads f2.jpg (Size: 45.75 KB / Downloads: 1040) Prompt for "content-disposition"-redirected downloads |
|||
The following 1 user says Thank You to Kye-U for this post: TheScaryGuy |
Apr. 24, 2008, 11:02 PM
Post: #2
|
|||
|
|||
RE: Catch Suspicious Extensions [April 21, 2008]
Hi Kye-U,
Does this mean we will have to bypass Proxo if we want to download some frequently served installation files ending in .EXE ? |
|||
Apr. 24, 2008, 11:14 PM
Post: #3
|
|||
|
|||
RE: Catch Suspicious Extensions [April 21, 2008]
Nope, this filter will allow you to select whether or not you want to allow a download. I'll take a screenshot of the window and add it to the first post
|
|||
The following 1 user says Thank You to Kye-U for this post: TheScaryGuy |
Apr. 24, 2008, 11:23 PM
Post: #4
|
|||
|
|||
RE: Catch Suspicious Extensions [April 21, 2008]
Thanks a lot !!
|
|||
Aug. 27, 2008, 09:21 PM
Post: #5
|
|||
|
|||
RE: Catch Suspicious Extensions [April 21, 2008]
Hello Kye-U,
I want to thank you very much for the second filter (content-disposition) that I just discovered today. In fact you're right, some downloads DO NOT trigger your good old Url-killer (suspicious ext.) that I've been using for years and I can say it has saved me a lot of times, many crap sites trying to fool people whith hidden .exe! But your example (webroot) showed me that crapfiles could come in without triggering the UrlKiller, and be dowloaded by mistake or lack of attention! So thanks again for that filter and for all the good job you're doing. |
|||
Aug. 28, 2008, 03:46 AM
Post: #6
|
|||
|
|||
RE: Catch Suspicious Extensions [April 21, 2008]
I'm glad you're finding it helpful! I can see how it would prove useful against the new "XP antivirus 2008/9" malware that's floating around Thank you for your comment!
|
|||
Sep. 23, 2008, 08:19 PM
Post: #7
|
|||
|
|||
RE: Catch Suspicious Extensions [April 21, 2008]
Very good filters Kye-U! But sometimes they have false positives, here an example:
http://userstyles.org/styles/site/facebook.com I don't know about header filters, could we improve these filters to not matching html files? Thanks in advance! |
|||
Jan. 11, 2009, 03:26 AM
Post: #8
|
|||
|
|||
RE: Catch Suspicious Extensions [January 10, 2009]
Thanks Inminente, I've updated the first filter to match all content types other than HTML
|
|||
Jan. 12, 2009, 01:01 AM
Post: #9
|
|||
|
|||
RE: Catch Suspicious Extensions [January 11, 2009]
Updated again to not match text/javascript, as I was getting a false positive on WildersSecurity (with Google API).
|
|||
Jan. 12, 2009, 12:32 PM
Post: #10
|
|||
|
|||
RE: Catch Suspicious Extensions [January 11, 2009]
Is your following filter still needed ?
Code: [HTTP headers] |
|||
Jan. 12, 2009, 12:40 PM
Post: #11
|
|||
|
|||
RE: Catch Suspicious Extensions [January 11, 2009]
are these "drive-by downloads" merely theoretical, or has anyone seen one of these mythical beasts in the wild?
just curious - with .js dis'd by default (by Proxo, not at the browser-level), i've not seen any... |
|||
Jan. 12, 2009, 05:50 PM
Post: #12
|
|||
|
|||
RE: Catch Suspicious Extensions [January 11, 2009]
I like these filters Kye-U, many thanks for them And now lets try to improve them
Analyzing the code of the first filter: - "$URL(http://" is ftp covered by the other filter? - *.(^([a-z]+{2,4})(^/))*. looking for a extension of only letters (no numbers) between 2 and 4 chars. The detection of the extension gives false positives in links like http://host1/clear.gif?url=host2/cbs.com Example here: http://www.cbs.com/primetime/big_bang_th...=true&cc=2 I recomend some code like (\1\?*|\1) or using \p for taking the real extension and later test it One modification for the first filter: Code: Match = "$SET(url=\p)$TST(url=*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e| p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)" And one question, now both filters are for incoming connections, why do we use 2 filters? Could we join them? |
|||
Jan. 13, 2009, 11:44 PM
Post: #13
|
|||
|
|||
RE: Catch Suspicious Extensions [January 11, 2009]
Idea!! I think would be great for the framework to write a filter wich sets a variable with the extension of the file we are downloading, it would be very useful for many other filters.
Just waiting some recomends from your experience with this filter to start writing any code Here is a good link to test your both filters: http://prdownload.berlios.de/avidemux/av..._win32.exe |
|||
The following 1 user says Thank You to lnminente for this post: TheScaryGuy |
Jan. 15, 2009, 05:31 AM
Post: #14
|
|||
|
|||
RE: Catch Suspicious Extensions [January 11, 2009]
Thanks for that, I'll have to find time to work on this filter. The work/labs/assignments are slowly piling up!
|
|||
Jan. 15, 2009, 11:21 AM
Post: #15
|
|||
|
|||
RE: Catch Suspicious Extensions [January 11, 2009]
The filter for taking extensions is done:
Code: [HTTP headers] I think your above filters could be resumed to the following matching code working together with the taking extension filter Code: $TST(extension=(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e| p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n) |
|||
« Next Oldest | Next Newest »
|