diff --git a/NEWS b/NEWS
index 3c77ead2d2..65533fcbcf 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,13 @@ Changed Functionality
   would reproduce the same fuid, even if the command itself did not result in
   a file transfer over a data connection (e.g., CWD, DEL, PASV, SIZE).
 
+- The ISO 9660 file signature has been moved into the policy directory. The
+  signature has previously been non-functional due to implicit anchoring. Further,
+  this signature requires users to significantly increase their
+  ``default_file_bof_buffer_size``. Users can now enable this signature by loading
+  ``frameworks/signatures/iso-9660`` which also increases the BOF buffer sufficiently.
+  Note, doing so may increase memory and CPU usage significantly.
+
 Removed Functionality
 ---------------------
 
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index c9a3df1f60..a676f328bc 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -296,18 +296,3 @@ signature file-windows-minidump {
     file-mime "application/x-windows-minidump", 50
     file-magic /^MDMP/
 }
-
-# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data.
-# The following sector is a volume descriptor with magic string "CD001"
-# at offset 1: 16 * 2048  + 1 = 32769
-signature file-iso9660 {
-        file-mime "application/x-iso9660-image", 99
-        file-magic /^.{32769}CD001/
-}
-
-# ISO 9660 disk image, magic string match in next volume descriptor.
-# 17 * 2048  + 1 = 34817
-signature file-iso9660-2 {
-        file-mime "application/x-iso9660-image", 99
-        file-magic /^.{34817}CD001/
-}
diff --git a/scripts/policy/frameworks/signatures/iso-9660.sig b/scripts/policy/frameworks/signatures/iso-9660.sig
new file mode 100644
index 0000000000..b6389721da
--- /dev/null
+++ b/scripts/policy/frameworks/signatures/iso-9660.sig
@@ -0,0 +1,10 @@
+# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data.
+# The following sector is a volume descriptor with magic string "CD001"
+# at offset 1: 16 * 2048 + 1 = 32769.
+#
+# However, we do not use exact offset matching /^.{32769}CD001/ as this
+# results in major performance degradation.
+signature file-iso9660 {
+        file-mime "application/x-iso9660-image", 99
+        file-magic /.*CD001/
+}
diff --git a/scripts/policy/frameworks/signatures/iso-9660.zeek b/scripts/policy/frameworks/signatures/iso-9660.zeek
new file mode 100644
index 0000000000..248b4c81e7
--- /dev/null
+++ b/scripts/policy/frameworks/signatures/iso-9660.zeek
@@ -0,0 +1,8 @@
+##! Load signature for ISO 9660 disk image and increase
+##! default_file_bof_buffer_size to make it functional.
+@load-sigs ./iso-9660
+
+# CD001 string is in the 17th sector.
+@if ( default_file_bof_buffer_size < (16 + 1) * 2048 )
+redef default_file_bof_buffer_size = (16 + 1) * 2048;
+@endif
diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek
index efa867c6bf..4e76a54171 100644
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@@ -72,6 +72,7 @@
 @load frameworks/notice/extend-email/hostnames.zeek
 @load files/x509/disable-certificate-events-known-certs.zeek
 @load frameworks/packet-filter/shunt.zeek
+@load frameworks/signatures/iso-9660.zeek
 @load frameworks/software/version-changes.zeek
 @load frameworks/software/vulnerable.zeek
 # @load frameworks/spicy/record-spicy-batch.zeek
diff --git a/testing/btest/scripts/base/files/mime/iso-9660.zeek b/testing/btest/scripts/base/files/mime/iso-9660.zeek
index 2d047f0364..6010ca0089 100644
--- a/testing/btest/scripts/base/files/mime/iso-9660.zeek
+++ b/testing/btest/scripts/base/files/mime/iso-9660.zeek
@@ -7,6 +7,8 @@
 @load base/protocols/http
 @load base/frameworks/files
 
+@load frameworks/signatures/iso-9660
+
 redef default_file_bof_buffer_size = 40000;
 
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)