I've just received a batch of TeslaCrypt zips in emails which weren't
caught by the foxhole sigs... that confused me for a while!
They were the usual .js within a zip format.
Anyway, long story short...
I've had to increase the FileSizeInContainer range on my servers - these
files were somehow around 180KB packed and foxhole only looks at up to
42KB (packed) files.
I didn't open the JS to see why they were so big.
As an example:
Sanesecurity.Foxhole.JS_Zip_1:CL_TYPE_ZIP:*:\.([Jj][Ss])$:0-512000:*:0:1:*:*
The 0-512000 was 0-43008 originally.
Hope that saves someone else from the same confusion it caused me!
--
Peter
