On Fri, 20 May 2016 17:47:09 -0500 (CDT) David B Funk <dbf...@engineering.uiowa.edu> wrote:
> > We do it the hard way. We list the contents of attached archives > > (using "lsar") and have filename-extension rules that block .js > > inside .zip files. While this can lead to some FPs, which we handle > > with selective whitelisting, it's very effective at catching the > > latest crop of cryptolocker-style attacks. > But isn't this exactly what the "foxhole_all.cdb" > signatures do? (or am I missing something?). Yes, mostly. The advantage of lsar is that it can look inside all kinds of weird archive formats (zip, zoo, rar, tar, tar.gz, etc.) While most malware uses zip, we've seen the occasional one using a different container file format. Regards, Dianne.