[clamav-users] Problems scanning for PUAs
Maarten Broekman
maarten.broekman at gmail.com
Thu May 30 22:12:33 UTC 2019
I think the PUA version are just potentially unwanted things that exhibit
trojan-like behavior but aren't confirmed trojans.
As for the original question, it looks like it's only using the first part
of that to determine the group of PUAs to ignore.
These are the 'PUA' families (and associated signature counts).
82 Andr
181 Cert
4 Doc
2 Email
1 Embedded
34 Html
3 Java
2 Js
1 Osx
1 Packed
6 Pdf
1 Php
1 Rtf
1 Spy
1 Swf
1 Tool
542 Unix
5832 Win
Running clamscan --detect-pua=yes --exclude-pua=Pdf does indeed exclude the
6 PUA signatures for PUA.Pdf.*
Barring the addition of functionality to allow you specify sub-categories
on the command line, your best option would be to create a .ign2 file with
a list of all the packer signatures you want to ignore.
A command-line along the lines of this would generate it for you:
# sigtool --find-sigs PUA.Win.Packer | awk '/ PUA/ { print $NF } /:PUA/ {
print $NF }' | awk -F: '$1 ~ /PUA/ { print $1 } $NF ~ /PUA/ { print $NF }'
| awk -F\; '{ print $1 }' ><dbdir>/ignorelist.ign2
--Maarten
On Thu, May 30, 2019 at 5:36 PM Daniel Quintiliani via clamav-users <
clamav-users at lists.clamav.net> wrote:
> Also, what is the difference between e.g. Win.Trojan and PUA.Win.Trojan?
> Why would a trojan be a PUA?
>
> --
>
> -Dan Q
>
> On Thu, 30 May 2019 17:02:08 -0400 (EDT), Daniel Quintiliani via
> clamav-users <clamav-users at lists.clamav.net> wrote:
>
> > Hi,
> >
> > I'm trying to scan files for PUAs.
> > When you do that, you get a lot of packers show up.
> >
> > But when I type
> >
> > --detect-pua=yes --exclude-pua=Win.Packer
> >
> > it doesn't detect any PUAs at all (including PUA.Win.Malware etc).
> >
> > Am I typing something wrong or is this a bug?
> >
> > Running ClamAV v0.101.2 on Gentoo Linux.
> >
> > Also, I haven't used ClamAV in a while, but do you still auto-reject PUA
> from the false-positive form?
> >
> > Thank you!
> >
> > --
> >
> > -Dan Q
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190530/b13ed585/attachment.htm>
More information about the clamav-users
mailing list