Kill Suspicious Extensions (Kye's filter)

[Guest]

Hello,

I am using Kye U's following header filter

In = FALSE
Out = TRUE
Key = "URL-Killer: Kill Suspicious Extensions (Allow vbs) [Kye-U] (Out)"
URL = "(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|)|s(cr|hs)|p(if|cd)|a(d(e|p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?)$CONFIRM(Suspicious file extension found\n\n\u\n\nBLOCK the url ?\n)"
Replace = "$ALERT(URL \u Blocked)$LOG("\u killed")\k\u"


But when I access the following link http://www.webroot.com/download/trial/ww...vcode=DT01 the filter does not block it. Any reason why it is not blocking the url. Thi particular url is harmless, but I want to block other harmful .exe

Thanks

[Kye-U]

Ah, it uses the Content-Disposition header to point to the correct file to download.

Please import these two updated filters:

Code:

[HTTP headers]
In = FALSE
Out = TRUE
Key = "!-URL-Killer: Catch Suspicious Extensions [ku] (Out)"
URL = "(^$LST(KBSP))(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(^?)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"
Replace = "\k"

In = TRUE
Out = FALSE
Key = "Content-Disposition: Catch Suspicious Extensions [ku] (In)"
URL = "(^$LST(KBSP))"
Match = "(*filename=$AV(\1.((hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))\2)))$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the file below?\n\n\1.\2\n\nHost:\n\h\n\nPath:\n\p\n)"
Replace = "\k"

Let me know how it goes!

If you want a "Connection killed" alert window to pop up if you've clicked on Yes, to kill the connection, add $ALERT(Connection killed.) to the Replacement text of both of the above filters.