CLSID matching

hermit921 hermit921 at yahoo.com
Thu Mar 2 18:40:04 GMT 2006


Back to my original question.  Does this expression match anywhere in the 
file name or match only as the end of the file name?  The comments say one 
thing but I read it as the other.

hermit921


At 10:29 AM 3/2/2006, Julian Field wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Agreed, but my simple one is faster and close enough. I've never had a
>report of a false alarm. If it ain't broke (or anyone is reporting it as
>broke) then I see no point in fixing it :-)
>
>Rick Cooper wrote:
> >> I was looking in the filenames file at the CLSID line.  Doesn't this match
> >> any file name containing that 25 character string in {}, not just 
> ending in
> >> that string?
> >>
> >> hermit921
> >>
> >>
> >> # Deny filenames ending with CLSID's
> >> deny \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real
> >> type                         Files
> >> containing  CLSID's are trying to hide their real type
> >>
> >
> > Not to beat a dead horse, but I was thinking after that last post and 
> if you
> > want to get technically correct a CLSID is a string of five groups of Hex
> > number groups in the format of 8-4-4-12 such as
> > {00020812-0000-0000-C000-000000000046} for the microsoft excel application.
> > So a properly formatted CLSID detection regex would be:
> >
> > deny
> > 
> \.\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{
> > 12}\}$
> >
> > or I guess you could shorten it to: deny
> > \.\{[a-fA-F0-9]{8}(?:-[a-fA-F0-9]{4}){3}-[a-fA-F0-9]{12}\}$
> >
>- --
>Julian Field




More information about the MailScanner mailing list