[clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1
Noel Jones
njones at megan.vbhcs.org
Thu Mar 31 15:36:18 UTC 2016
Known malware will still be detected, even if you ignore the
troublesome PUA sigs.
These aren't really false positives since the .pdf really does
contain javascript. So the sigs are working as intended.
The alternative is to communicate to your users that .pdf files
containing javascript are not allowed in email. Unfortunately,
*many* legit .pdf files contain javascript.
This is more of a local policy decision than a tech decision.
-- Noel Jones
On 3/31/2016 9:25 AM, polloxx wrote:
> That's known to me Steve.
> I'm afraid malware will not be detected in that case.
>
> P.
>
> On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford <
> steveb_clamav at sanesecurity.com> wrote:
>
>>
>> On Thu, March 31, 2016 2:33 pm, polloxx wrote:
>>> Since the new Clamav database we have a lot more false positives for
>>> PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
>>> What can we do about this, except disabling PUA?
>>
>> Create a local.ign2 with the following lines:
>>
>> PUA.Pdf.Trojan.EmbeddedJS-1
>> PUA.Win.Trojan.EmbeddedPDF-1
>>
>> Place in ClamAV database folder and restart clamd
>>
>> Cheers,
>>
>> Steve
>> Web : sanesecurity.com
>> Blog: sanesecurity.blogspot.com
>> Twitter: @sanesecurity
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list