CLSID matching

Rick Cooper rcooper at dwford.com
Thu Mar 2 18:08:35 GMT 2006



> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of
> hermit921
> Sent: Thursday, March 02, 2006 11:47 AM
> To: MailScanner discussion
> Subject: Re: CLSID matching
>
>
> I was looking in the filenames file at the CLSID line.  Doesn't
> this match
> any file name containing that 25 character string in {}, not just
> ending in
> that string?
>
> hermit921
>
>
> # Deny filenames ending with CLSID's
> deny	\{[a-hA-H0-9-]{25,}\}	Filename trying to hide its real
> type				Files
> containing  CLSID's are trying to hide their real type

Not to beat a dead horse, but I was thinking after that last post and if you
want to get technically correct a CLSID is a string of five groups of Hex
number groups in the format of 8-4-4-12 such as
{00020812-0000-0000-C000-000000000046} for the microsoft excel application.
So a properly formatted CLSID detection regex would be:

deny
\.\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{
12}\}$

or I guess you could shorten it to: deny
\.\{[a-fA-F0-9]{8}(?:-[a-fA-F0-9]{4}){3}-[a-fA-F0-9]{12}\}$

Rick Cooper


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the MailScanner mailing list