[clamav-users] Frequent PUA.Win.Trojan.EmbeddedPDF-1 false positives
Al Varnell
alvarnell at mac.com
Thu Jun 30 08:57:39 UTC 2016
The preferred, documented way to deal with a suspected False Positive here is to upload it to <http://www.clamav.net/reports/fp>, although in past years PUA submissions were not allowed, so I can’t predict how successful you will be.
ClamAV will always stop scanning after it finds the first infection, so there may be something about your quarantine process that is exposing attachment as separate files from the e-mail they were originally embedded in. That’s the only explanation I can come up with.
Many, if not most users find that PUA detections are more trouble than they are worth and leave configuration "DetectPUA no”, which is the default setting. If you are being overwhelmed by such detections, that may be your best option.
-Al-
On Wed, Jun 29, 2016 at 06:53 AM, Alex wrote:
>
> Hi,
>
> It appears lately there are quite a few PUA.Win.Trojan.EmbeddedPDF-1
> false positives. Scanning these messages manually shortly after
> they're quarantined doesn't find the same virus sig. In fact, many
> times it doesn't specifically include a PDF, but instead a docx file.
>
> I was just wondering if there's something I should know about this
> particular signature?
>
> Should I be able to scan a quarantined message in its entirety to
> determine if it has a virus? Or do I need to split out the individual
> doc/pdf components before scanning? I've done both, but was just
> curious if it was necessary to save the individual attachments before
> scanning.
>
> I can't easily send a sample, but I'd appreciate any help you may have to offer.
>
> Thanks,
> Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3573 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160630/eea953c7/attachment.bin>
More information about the clamav-users
mailing list