Allow creation of blacklist overrides by filename or extension instead of just MD5

  • 16 August 2019
  • 1 reply

Userlevel 1
Badge +1
For those of us proactive admins, who stay up on current news, we may wish to blacklist a specific filename, or extension, before we have the hash of the file (meaning we already have the file, so it may be too late....)

Example, 3 days ago:
"Clicking the link in that email downloads a file named KB3085604 (dot) exe — obviously named to resemble Microsoft patch files and security updates. Detection of this file by the anti-malware engines represented on VirusTotal is poor, with only nine flagging it at the time of this writing."

I sure would love to block that file, but I don't HAVE that file, so can't get the MD5, and so... can't blacklist it in Webroot.

Or some ransomware, that likes to use cutsie specific file extensions. If we blacklisted their extensions, that should stop the initial encryption attempt cold, even if WR doesn't have it in their library yet...

1 reply

Userlevel 7
Badge +28
Sounds like a reasonable request, I second this. Also, don't forget to vote on your own idea, the system doesn't do it for you.