[clamav-users] clamscan and PUA
Douglas Goddard
dgoddard at sourcefire.com
Thu Sep 4 15:54:49 UTC 2014
Thank you for catching that. PUA is not supported for this signature type,
I will drop the signature and rename it to avoid the confusion of the
incorrect PUA label. You'll need to whitelist the new name when that
appears in a next day or so.
Sorry for the inconvenience,
Doug
On Thu, Sep 4, 2014 at 11:45 AM, Douglas Goddard <dgoddard at sourcefire.com>
wrote:
> I'm looking into the PUA issue and will follow up about that.
>
>
> On Thu, Sep 4, 2014 at 11:43 AM, Douglas Goddard <dgoddard at sourcefire.com>
> wrote:
>
>> That is a zip signature looking for double extension files. So, it is
>> interesting that it is alerting on a .txt file, unless that is a zip file
>> in disguise.
>>
>> You can whitelist the signature by adding a whitelist.ign file to your
>> ClamAV database directory (for me, the path is: /usr/local/share/clamav/).
>> In that file put the signature names that you do not want alerting, one per
>> line.
>>
>> This signature and the others published in their set look for common
>> double extension tricks like your_document-pdf.exe.
>>
>> If that is truly a text file or you would like to have me take a look at
>> it to see if the signature should be modified please submit it as an FP via
>> http://www.clamav.net/fp.
>>
>> Thanks,
>> Doug
>>
>>
>> On Thu, Sep 4, 2014 at 11:23 AM, Mark Price <mprice at tqhosting.com> wrote:
>>
>>> In the past day we have had clamscan on several servers detect infected
>>> files due to: PUA.Windows.DoubleExtension-zippwd-3
>>>
>>> I've read the clamscan manpage but have not had any luck with getting the
>>> "--detect-pua" option to work. Example:
>>>
>>> # clamscan --detect-pua=no ./sample-msg1.txt
>>> ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND
>>>
>>> ----------- SCAN SUMMARY -----------
>>> Known viruses: 3515268
>>> Engine version: 0.98
>>> Scanned directories: 0
>>> Scanned files: 1
>>> Infected files: 1
>>> Data scanned: 0.00 MB
>>> Data read: 0.05 MB (ratio 0.00:1)
>>> Time: 9.402 sec (0 m 9 s)
>>>
>>>
>>> In this case, is the infected file being detected by a PUA that I should
>>> be
>>> able to disable with command line option? Or is "PUA" simply part of the
>>> virus signature name?
>>>
>>>
>>> Thanks,
>>>
>>> Mark
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>>
>
More information about the clamav-users
mailing list