[Community-sigs] VBS signature submission

[Micah Snyder (micasnyd)]

It's strange, but there is no PUA equivalent for CDB signatures.  I don't know why not.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: LANEL, JEAN BAPTISTE <jeanbaptiste.lanel at worldline.com>
Sent: Wednesday, May 24, 2023 1:21 AM
To: Micah Snyder (micasnyd) <micasnyd at cisco.com>; ClamAV Community Signatures Submission List <community-sigs at lists.clamav.net>
Subject: RE: [Community-sigs] VBS signature submission


Hello,



It doesn’t seems to work with the container metadata signatures :



LibClamAV Warning: cli_load: unknown extension - skipping jb.cdu



Regards,



De : Micah Snyder (micasnyd) <micasnyd at cisco.com>
Envoyé : Tuesday, May 23, 2023 10:40 PM
À : ClamAV Community Signatures Submission List <community-sigs at lists.clamav.net>; LANEL, JEAN BAPTISTE <jeanbaptiste.lanel at worldline.com>
Objet : Re: [Community-sigs] VBS signature submission



Caution! External email. Do not open attachments or click links, unless this email comes from a known sender and you know the content is safe.

PUA signatures have a separate filename extension for the database file.  PUA database extensions end with u​ instead of b​.  For logical sigs, use .ldu instead of .ldb.



For more information, see https://docs.clamav.net/manual/Signatures.html#signature-databases

Signatures - ClamAV Documentation<https://docs.clamav.net/manual/Signatures.html#signature-databases>

An open source malware detection toolkit and antivirus engine.

docs.clamav.net



Regards,

Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________

From: Community-sigs <community-sigs-bounces at lists.clamav.net<mailto:community-sigs-bounces at lists.clamav.net>> on behalf of Arnaud Jacques <webmaster at securiteinfo.com<mailto:webmaster at securiteinfo.com>>
Sent: Tuesday, May 23, 2023 9:36 AM
To: ClamAV Community Signatures Submission List <community-sigs at lists.clamav.net<mailto:community-sigs at lists.clamav.net>>; LANEL, JEAN BAPTISTE <jeanbaptiste.lanel at worldline.com<mailto:jeanbaptiste.lanel at worldline.com>>
Subject: Re: [Community-sigs] VBS signature submission



Hello Jean-Baptiste,


> I just created a signature for detecting small vbs in an email :
>
> PUA.Win.malware.vbs.mail:CL_TYPE_MAIL:1000-10485760:^.*\.vbs$:100-1000:100-1000:0:0:*:
>
> I tagged it as PUA but for some reason it detects event if I pass --detect-pua=no to clamscan, if someone can help ?

As far as I know, --detect-pua switch only applied to official
signatures from ClamAV.

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj at securiteinfo.com<mailto:aj at securiteinfo.com>
Site web : https://www.securiteinfo.com<https://www.securiteinfo.com/>
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Writing signatures for ClamAV antivirus since 2006
_______________________________________________

Community-sigs mailing list
Community-sigs at lists.clamav.net<mailto:Community-sigs at lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/community-sigs

http://www.clamav.net/contact.html#ml

Worldline, Cardlink, GoPay and Santeos are registered trademarks and trade names owned by the Worldline Group. This e-mail and any documents attached are confidential and intended solely for the addressee. It may also be privileged. If you are not the intended recipient of this e-mail, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this e-mail (including any attachments) from your systems. As e-mails may be intercepted, amended or lost, they are not secure. Therefore, Worldline’s and its subsidiaries’ liability cannot be triggered for the message content. Although the Worldline Group endeavors to maintain a virus-free network, we do not warrant that this e-mail is virus-free and do not accept liability for any damages, losses or consequences resulting from any transmitted virus if any. The risks are deemed to be accepted by anyone who communicates with Worldline or its subsidiaries by e-mail.