Quarantine some "Regular expression match", not all

3 posts Page 1 of 1
Miron
Junior Member
Posts: 9
Joined: 08 Nov 2007, 14:16


Hello,

I have situation where I need quarantine several "Regular expression match" files, but if I enable "(m) regex pattern match", cxs will quarantine all "Regular expression match" files, and that is not acceptable option because there are over few thousand false-positive detections.

I can add md5sum to the cxs.xtra, but hacker can easily change (and that's happening very often) one or few characters in the file and md5sum does not match anymore, but files are still easily detectable via regex. Now, in such situations where we can define regex that will exclusively quarantine files, this option will be very, very useful.

As I said before, I can enable option to quarantine files based on regex, but this will quarantine over few thousand other regular files, and that's not acceptable.

So, one additional cxs.regex file that will exclusively quarantine files I see as the only way around this issue, or maybe same cxs.xtra file but with regex strings with different prefix (eregall, eregphp).


Regards,
Miron J.
Miron
Junior Member
Posts: 9
Joined: 08 Nov 2007, 14:16


Hello,

Thank you for this option in the new version:
regall:quaratine:/etc/passwd

Can we use this with other types in cxs.xtra file?

regphp:quaratine:/etc/passwd
file:quaratine:/etc/passwd
ForumAdmin
Moderator
Posts: 1432
Joined: 01 Oct 2008, 09:24


It is only applicable to regex string matches, i.e. regall, regphp and regperl
3 posts Page 1 of 1