[Community-sigs] VBS signature submission
LANEL, JEAN BAPTISTE
jeanbaptiste.lanel at worldline.com
Mon May 22 14:52:45 UTC 2023
Hello,
I just created a signature for detecting small vbs in an email :
PUA.Win.malware.vbs.mail:CL_TYPE_MAIL:1000-10485760:^.*\.vbs$:100-1000:100-1000:0:0:*:
I tagged it as PUA but for some reason it detects event if I pass --detect-pua=no to clamscan, if someone can help ?
Btw, I'm trying to have more sample of the attack I noticed in order to have a more specific signature, but in any case I think receiving a vbs by email is not safe.
Regards,
Jean-Baptiste Lanel
Anti-Abuse
eTTEP - WLM&D
[cid:image001.png at 01D98CCB.E7D49A20]
Tel +33 (0)3 20 60 92 46
Mob +33 (0)6 71 66 21 57
ZI rue de la Pointe
59113 Seclin - France
worldline.com<https://worldline.com/>
[cid:image002.png at 01D98CCB.E7D49A20]<https://worldline.com/instagram> [cid:image003.png at 01D98CCB.E7D49A20] <https://worldline.com/twitter> [cid:image004.png at 01D98CCB.E7D49A20] <https://worldline.com/blog> [cid:image005.png at 01D98CCB.E7D49A20] <https://worldline.com/linkedin> [cid:image006.png at 01D98CCB.E7D49A20] <https://worldline.com/facebook> [cid:image007.png at 01D98CCB.E7D49A20] <https://worldline.com/youtube>
Worldline, Cardlink, GoPay and Santeos are registered trademarks and trade names owned by the Worldline Group. This e-mail and any documents attached are confidential and intended solely for the addressee. It may also be privileged. If you are not the intended recipient of this e-mail, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this e-mail (including any attachments) from your systems. As e-mails may be intercepted, amended or lost, they are not secure. Therefore, Worldline's and its subsidiaries' liability cannot be triggered for the message content. Although the Worldline Group endeavors to maintain a virus-free network, we do not warrant that this e-mail is virus-free and do not accept liability for any damages, losses or consequences resulting from any transmitted virus if any. The risks are deemed to be accepted by anyone who communicates with Worldline or its subsidiaries by e-mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3723 bytes
Desc: image001.png
URL: <https://lists.clamav.net/pipermail/community-sigs/attachments/20230522/d77257db/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2545 bytes
Desc: image002.png
URL: <https://lists.clamav.net/pipermail/community-sigs/attachments/20230522/d77257db/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2812 bytes
Desc: image003.png
URL: <https://lists.clamav.net/pipermail/community-sigs/attachments/20230522/d77257db/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1899 bytes
Desc: image004.png
URL: <https://lists.clamav.net/pipermail/community-sigs/attachments/20230522/d77257db/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2138 bytes
Desc: image005.png
URL: <https://lists.clamav.net/pipermail/community-sigs/attachments/20230522/d77257db/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 1399 bytes
Desc: image006.png
URL: <https://lists.clamav.net/pipermail/community-sigs/attachments/20230522/d77257db/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 2541 bytes
Desc: image007.png
URL: <https://lists.clamav.net/pipermail/community-sigs/attachments/20230522/d77257db/attachment-0013.png>
More information about the Community-sigs
mailing list