[clamav-users] PUA.Script.PDF.EmbeddedJS-1

Al Varnell alvarnell at mac.com
Tue Sep 1 20:28:38 EDT 2015


Let me start by saying that I don’t recall an engine update ever flagging less files as infected.  If anything, they would enable even more signatures to identify more files, so I’m confident that PUA.Script.PDF.EmbeddedJS-1 would work exactly the same with today’s engine.

But more importantly is the conclusion that this is a False Positive.  Potentially Unwanted Application / Process (PUA/PUP) detections are almost never False Positives (although I did verify one once a few years ago).  In this case the signature would appear to have identified a PDF document that contains javascript.  That’s all it’s warning you about.  If that’s what you expected from this document then ignore it and get on with your work.  If you are surprised by such a thing, then perhaps you should take another look at it to see what it does and if it could be malicious. 

Of course, chances are extremely high that even a malicious javascript would be Windows based and no threat to a Mac, but that’s probably beside the point.

-Al-

On Tue, Sep 01, 2015 at 03:37 PM, aklist wrote:
> 
> Hi All: A PDF attachment to an email was scanned by clamAV and found to have the following virus: PUA.Script.PDF.EmbeddedJS-1
> 
> I googled around on this and found some reports that it's a false positive. I'm still running 0.96.1 on MacOS 10.6.8, and I realize that it is out of date, but I was curious if later versions of clamAV would also flag this virus?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20150901/2fbe111d/attachment.bin>


More information about the clamav-users mailing list