CLSID matching
Julian Field
MailScanner at ecs.soton.ac.uk
Thu Mar 2 18:29:21 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Agreed, but my simple one is faster and close enough. I've never had a
report of a false alarm. If it ain't broke (or anyone is reporting it as
broke) then I see no point in fixing it :-)
Rick Cooper wrote:
>> I was looking in the filenames file at the CLSID line. Doesn't
>> this match
>> any file name containing that 25 character string in {}, not just
>> ending in
>> that string?
>>
>> hermit921
>>
>>
>> # Deny filenames ending with CLSID's
>> deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real
>> type Files
>> containing CLSID's are trying to hide their real type
>>
>
> Not to beat a dead horse, but I was thinking after that last post and if you
> want to get technically correct a CLSID is a string of five groups of Hex
> number groups in the format of 8-4-4-12 such as
> {00020812-0000-0000-C000-000000000046} for the microsoft excel application.
> So a properly formatted CLSID detection regex would be:
>
> deny
> \.\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{
> 12}\}$
>
> or I guess you could shorten it to: deny
> \.\{[a-fA-F0-9]{8}(?:-[a-fA-F0-9]{4}){3}-[a-fA-F0-9]{12}\}$
>
- --
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQA/AwUBRAc5ghH2WUcUFbZUEQJHEACg271hYPMuQ+6Rhux56Q4etwhmzyMAoLPo
eTq4ckQA0LVroYNokcAiOpkh
=xfaU
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list