#include <kionez.h> // created 06/07/2017 14:53 Many thanks demonduck!!
[cut] > I'll try to convert my rule into LDB! after some RTFM i finally understand the LDB format, so I created my first two rules to detect malware obfuscated script in wsf\hta files. The attachment is a zip\rar archive, which contains a directory and a script with the same name, i.e.: SH6352633.rar --> SH6352633/SH6352633.hta LG7569035.zip --> LG7569035/LG7569035.wsf So, using the "file magic" 0:504B for ZIP and 0:5261 for RAR (taken from https://en.wikipedia.org/wiki/List_of_file_signatures ) I could write two rules: ACD.BadFilenameLDB.01;Engine:81-255,Target:0;0&1;0:504B;2,200:0/(?P<name>[A-Z0-9_\-\.]{8,12})(/|\\)(?P=name)\.(wsf|hta)/e ACD.BadFilenameLDB.02;Engine:81-255,Target:0;0&1;0:5261;2,200:0/(?P<name>[A-Z0-9_\-\.]{8,12})(/|\\)(?P=name)\.(wsf|hta)/e I do not think it can generate too many false positives, for now it's in testing :) k. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
