I believe 3MB is above the default scan size for SA, so likely it won't even
look at the file.
Loren
----- Original Message -----
From: Rupert Gallagher
To: [email protected]
Sent: Tuesday, February 07, 2023 2:26 AM
Subject: Re: New rule wanted
Note: Both client and server are not Windows. The attached file type is a
generic "data" on unix. On a Windows client the file runs as executable. A SA
rule should merely detect that the file type is a generic "data" file.
-------- Original Message --------
On Feb 7, 2023, 11:15, Rupert Gallagher < [email protected]> wrote:
I received a spam with score -1. Well written, looks legit commercial,
asking for a quotation, with details in the attachment, a 3MB file with unknown
extension ".one".
The file turns out to be a Windows Trojan:
https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b
Both SA and ClamAV passed it as legit.
We should have a SA rule that says: "attached file with unknown data type".
