[clamav-users] Is there a PUA warnings Database for ClamScan - Looking up PUA for Webmin

shane at virusbusters.co.nz shane at virusbusters.co.nz
Wed Aug 12 02:29:23 EDT 2015


Awesome answer - thank you.
The FP was on two files from the latest version of webmin. I'll submit 
them for consideration and et the experts decide if it is a false 
positive or truely an issue.

On another note - clamAV has been finding php scripts in a third party 
dev site that other 'commercial' avs haven't. Virustotal confirmed the 
issues and a manual scan of the code did too - I'm impressed.

shane

On 2015-08-12 18:23, Al Varnell wrote:
> I may be totally misunderstanding your question, but I’ll tell you
> what I know and perhaps somebody from ClamAV will have a better answer
> for you later.
> 
> In general, all False Positive should be reported using the “Report
> False Positive” page:
> <http://www.clamav.net/report/report-fp.html>.
> 
> I know there was a period of time when PUA could not be submitted, but
> I don’t see any such restrictions at the moment.
> 
> As you can imagine, PUA FP’s are often in the eyes of the beholder.
> For instance, if the signature was meant to identify a parental
> control application that can be used to track user activity, but
> instead it identifies a word processor application, then it’s clearly
> an FP.  If it identifies a web site that is able to access clipboard
> data from IE 7 through 11, then it’s PUA, whether intentional or not.
> 
> Again, in general, there is no public information available on an
> infection to be “looked up”.  The signature writer might have
> something in their notes about it, but that’s as far as it ever goes.
> So I don’t know what you want to look up, but you have already looked
> in all the right places (Google and VirusTotal).
> 
> If you are interested in knowing what the signature looks like, then
> you can look it up at:
> <http://clamav-du.securesites.net/cgi-bin/clamgrok>
> or use
> sigtool --find [infectionname]
> 
> and if it’s decodable
> sigtool —find [infectionname] | signal —decode-sig
> 
> -Al-
> 
> 
> On Tue, Aug 11, 2015 at 08:52 PM, shane at virusbusters.co.nz wrote:
>> 
>> is there a place that common false positives can be either registered 
>> or looked up?
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list