[clamav-users] clamscan and PUA
Douglas Goddard
dgoddard at sourcefire.com
Thu Sep 4 15:43:34 UTC 2014
That is a zip signature looking for double extension files. So, it is
interesting that it is alerting on a .txt file, unless that is a zip file
in disguise.
You can whitelist the signature by adding a whitelist.ign file to your
ClamAV database directory (for me, the path is: /usr/local/share/clamav/).
In that file put the signature names that you do not want alerting, one per
line.
This signature and the others published in their set look for common double
extension tricks like your_document-pdf.exe.
If that is truly a text file or you would like to have me take a look at it
to see if the signature should be modified please submit it as an FP via
http://www.clamav.net/fp.
Thanks,
Doug
On Thu, Sep 4, 2014 at 11:23 AM, Mark Price <mprice at tqhosting.com> wrote:
> In the past day we have had clamscan on several servers detect infected
> files due to: PUA.Windows.DoubleExtension-zippwd-3
>
> I've read the clamscan manpage but have not had any luck with getting the
> "--detect-pua" option to work. Example:
>
> # clamscan --detect-pua=no ./sample-msg1.txt
> ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 3515268
> Engine version: 0.98
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.05 MB (ratio 0.00:1)
> Time: 9.402 sec (0 m 9 s)
>
>
> In this case, is the infected file being detected by a PUA that I should be
> able to disable with command line option? Or is "PUA" simply part of the
> virus signature name?
>
>
> Thanks,
>
> Mark
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list