I was looking for a way to write my own detection mechanisms. I know I can
detect binary files by creating signatures with sigtool but this javascript
can change like one character and the signature would be off.
I'm thinking something more generic like all javascript in attachments
should be deemed phishing would be better at this.
-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
newcomer01 via clamav-users
Sent: Friday, August 4, 2023 2:34 PM
To: Scott via clamav-users <clamav-users@lists.clamav.net>
Cc: newcomer01 <newcomer01@posteo.de>
Subject: Re: [clamav-users] Catching javascript in html attachment
you can make exception rules for exclude mails from phishing / spam checks,
but this isn't maybe what you need.
normally clamav should flag such content "possible phishing" or "possible
spam" ... if not, please report it
https://www.clamav.net/reports/malware Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Newcomer01 <mailto:newcomer01@posteo.de> CC / CC: Scott
<mailto:qmail@top-consulting.net> Gesendet / Sent: Freitag, August 04, 2023
um 20:03 (at 08:03 PM) +0200 Betreff / Subject: [clamav-users] Catching
javascript in html attachment
>
> I am dealing with these pesky phishing attempts that come as attached html
files and contain escaped/obfuscated javascript.
>
> File is attached like this:
>
> Content-Type: text/html; name="NEW ORDER JULY 2023.html"
>
> Content-Transfer-Encoding: base64
>
> Content-Disposition: attachment; filename="NEW ORDER JULY 2023.html"
>
> And contents are like
>
> <script>
>
> document.write(unescape('%3C%21doctype%20html%3E%0A%3Chtml%20dir%3D%22
> ltr%22%20lang%3D%22%23%22%3E
>
> any way to flag all javascript from attached html files ?
>
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat _______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat