[clamav-users] Is Doc.Packed available as PUA category?
G.W. Haywood
clamav at jubileegroup.co.uk
Thu Jan 14 11:19:45 UTC 2021
Hi there,
On Thu, 14 Jan 2021, 本多 俊之 wrote:
> I got an error due to clamav scanning when sending an Excel document where a password is set.
> The error was as follows:
> "wWDZCZvPwM-1.dat: PUA.Doc.Packed.EncryptedDoc-6563700-0 FOUND"
That is not an error. That is ClamAV correctly doing what it is supposed to do.
> I added the following line to clamd.conf to avoid the error, but it didn't work.
> "ExcludePUA Packed"
>
> So I changed the category to "Doc.Packed" and the error no longer occurs.
> "ExcludePUA Doc.Packed"
Are you sure that you want to do that? Password-protected compressed
malicious mail is one of the most common issues which I see at present.
It is good practice to scan sent mail, but if you are sending the mail
then presumably you will have ways of preventing a scan from rejecting
your own mail other than disabling the scanner for all mail.
> I cannot find "Doc.Packed" in the official PUA categories:
> https://www.clamav.net/documents/potentially-unwanted-applications-pua
>
> Could you please let me know what is "Doc.Packed" category and whether it is available?
The documentation appears to me to be either misleading or out of date.
Try something like this:
$ grep -a '^PUA' .../daily.cld | cut -d'.' -f 1,2,3 | sort | uniq
It might not be a complete list but it will be a start.
--
73,
Ged.
More information about the clamav-users
mailing list