[Community-sigs] VBS signature submission
Micah Snyder (micasnyd)
micasnyd at cisco.com
Tue May 23 20:40:21 UTC 2023
PUA signatures have a separate filename extension for the database file. PUA database extensions end with u instead of b. For logical sigs, use .ldu instead of .ldb.
For more information, see https://docs.clamav.net/manual/Signatures.html#signature-databases
Signatures - ClamAV Documentation<https://docs.clamav.net/manual/Signatures.html#signature-databases>
An open source malware detection toolkit and antivirus engine.
docs.clamav.net
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: Community-sigs <community-sigs-bounces at lists.clamav.net> on behalf of Arnaud Jacques <webmaster at securiteinfo.com>
Sent: Tuesday, May 23, 2023 9:36 AM
To: ClamAV Community Signatures Submission List <community-sigs at lists.clamav.net>; LANEL, JEAN BAPTISTE <jeanbaptiste.lanel at worldline.com>
Subject: Re: [Community-sigs] VBS signature submission
Hello Jean-Baptiste,
> I just created a signature for detecting small vbs in an email :
>
> PUA.Win.malware.vbs.mail:CL_TYPE_MAIL:1000-10485760:^.*\.vbs$:100-1000:100-1000:0:0:*:
>
> I tagged it as PUA but for some reason it detects event if I pass --detect-pua=no to clamscan, if someone can help ?
As far as I know, --detect-pua switch only applied to official
signatures from ClamAV.
--
Cordialement / Best regards,
Arnaud Jacques
Gérant de SecuriteInfo.com
Téléphone : +33-(0)3.60.47.09.81
E-mail : aj at securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Writing signatures for ClamAV antivirus since 2006
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list