#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny, then regular expression, then log text, then user
# report text.
#

# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny	.{150,}			Prilis dlouhy nazev souboru, pravdepodobne OE attack						Velmi dlouhy nazev souboru muze signalizovat utok proti postovnim klientum Microsoft

# These are known to be mostly harmless.
allow	\.jpg$			-	-
allow	\.gif$			-	-
# .url is arguably dangerous, but I can't just ban it...
allow	\.url$			-	-
allow	\.vcf$			-	-
allow	\.txt$			-	-
allow	\.zip$			-	-
allow	\.t?gz$			-	-
allow	\.bz2$			-	-
allow	\.Z$			-	-
allow	\.rpm$			-	-
# PGP and GPG
allow	\.gpg$			-	-
allow	\.pgp$			-	-
allow	\.sit$			-	-
allow	\.asc$			-	-
# Macintosh archives
allow	\.hqx$			-	-
allow	\.sit.bin$		-	-
allow	\.sea$			-	-

# These 2 are well known viruses.
deny	pretty\s+park\.exe$	"Pretty Park" virus								"Pretty Park" virus
deny	happy99.exe$		"Happy" virus									"Happy" virus
deny	\.ceo$		Priloha viru WinEvar							Casto pouzivana virem WinEvar

# These are known to be dangerous in almost all cases.
deny	\.reg$		Pravdepodobne utok na Windows registry						Zaznamy Windows registru jsou velmi nebezpecnou soucasti dopisu
deny	\.chm$		Pravdepodobne virus na bazi kompilovanych souboru napovedy						Kompilovane soubory napovedy jsou velmi nebezpecnou soucasti dopisu
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
deny	\.cnf$		Possible SpeedDial attack							SpeedDials are very dangerous in email
deny	\.hta$		Possible Microsoft HTML archive attack						HTML archives are very dangerous in email
deny	\.ins$		Possible Microsoft Internet Comm. Settings attack				Windows Internet Settings are dangerous in email
deny	\.jse?$		Possible Microsoft JScript attack						JScript Scripts are dangerous in email
deny	\.lnk$		Possible Eudora *.lnk security hole attack					Eudora *.lnk security hole attack
deny	\.ma[dfgmqrstvw]$	Possible Microsoft Access Shortcut attack				Microsoft Access Shortcuts are dangerous in email
deny	\.pif$		Possible MS-Dos program shortcut attack						Shortcuts to MS-Dos programs are very dangerous in email
deny	\.scf$		Possible Windows Explorer Command attack					Windows Explorer Commands are dangerous in email
deny	\.sct$		Possible Microsoft Windows Script Component attack				Windows Script Components are dangerous in email
deny	\.shb$		Possible document shortcut attack						Shortcuts Into Documents are very dangerous in email
deny	\.shs$		Possible Shell Scrap Object attack						Shell Scrap Objects are very dangerous in email
deny	\.vb[es]$	Possible Microsoft Visual Basic script attack					Visual Basic Scripts are dangerous in email
deny	\.ws[cfh]$	Possible Microsoft Windows Script Host attack					Windows Script Host files are dangerous in email
deny	\.xnk$		Possible Microsoft Exchange Shortcut attack					Microsoft Exchange Shortcuts are dangerous in email

# These 2 added by popular demand - Very often used by viruses
deny	\.com$		Windows/DOS Executable								Executable DOS/Windows programs are dangerous in email
deny	\.exe$		Windows/DOS Executable								Executable DOS/Windows programs are dangerous in email

# These are very dangerous and have been used to hide viruses
deny	\.scr$		Possible virus hidden in a screensaver						Windows Screensavers are often used to hide viruses
deny	\.bat$		Possible malicious batch file script						Batch files are often mailicious
deny	\.cmd$		Possible malicious batch file script						Batch files are often mailicious
deny	\.cpl$		Possible malicious control panel item						Control panel items are often used to hide viruses
deny	\.mhtml$	Possible Eudora meta-refresh attack						MHTML files can be used in an attack against Eudora

# Deny filenames ending with CLSID's
deny	\{[a-hA-H0-9-]{25,}\}$	Filename trying to hide its real extension				Files ending in CLSID's are trying to hide their real extension

# Deny filenames with lots of contiguous white space in them.
deny	\s{10,}		Filename contains lots of white space						A long gap in a name is often used to hide part of it

# Allow repeated file extension, e.g. blah.zip.zip
allow	(\.[a-z0-9]{3})\1$	-	-

# Deny all other double file extensions. This catches any hidden filenames.
deny	\.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$	Found possible filename hiding				Attempt to hide real filename extension

