[clamav-users] False positive for sure

Gene Heskett gheskett at wdtv.com
Wed Sep 3 15:47:33 UTC 2014 

On Wednesday 03 September 2014 10:44:21 Douglas Goddard did opine
And Gene did reply:
> We're working on some signatures for our users who run ClamAV on their
> mail servers. We'll be tweaking them over the next few weeks to
> minimize false positives, but with loose signatures like this, it is
> difficult to eliminate them completely.
> 
> If you're not concerned about double extension files in zips, or
> suspicious file names (eg. INVOICE_01.exe) then it would be best that
> you white list any signatures that cause you problems. In the
> meantime, we appreciate the feedback as these signatures will need
> some modification.
> 
> Thank you,
> Douglas

I found the crontab entry, and changed the PUA containing line in the 
clamd.conf it referenced, from 'false' to 'No'. No clue what the diff 
might be, but the log of a restart say its not now loading the PUA 
signatures.

So far, every false detection it has reported has been PUA related.  The 
file was both old, and unused, so I have been nuking them as they arise.

I also run incoming mail past clamd.  But it doesn't send me an email when 
it sends something to /var/spool/virii.  And freshclam has sent root about 
1.2 megs of mail it should only send on error, plus nsd is sending mail to 
itself because an alias that would fwd hostmaster to me doesn't exist.
 
I'll see if those are fixable.

> On Wed, Sep 3, 2014 at 8:02 AM, Steve Basford <
> 
> steveb_clamav at sanesecurity.com> wrote:
> > On Wed, September 3, 2014 12:54 pm, Gene Heskett wrote:
> > >> â€‌—detect-puaâ€‌ switch for clamscan or disable it in the
> > >> clamd.conf file.
> > > 
> > > Which one?, I have 3 of them.  This is an old ubuntu 10.04 LTS
> > > install. Also its reported as version 98.1.
> > 
> > If you are using clamscan then I guess you've got a script somewhere,
> > calling clamscan, you need to add: --detect-pua=no
> > 
> > If it's clamdscan you are using then edit the clamd.conf file... and
> > restart clamd...
> > 
> > # Detect Possibly Unwanted Applications.
> > # Default: no
> > DetectPUA No
> > 
> > Cheers,
> > 
> > Steve
> > Sanesecurity.com
> > 
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS

More information about the clamav-users mailing list