[clamav-users] PUA detected. False Positive?

Maarten Broekman maarten.broekman at gmail.com
Fri Jul 15 20:34:52 UTC 2022 

A "PUA" is a "potentially unwanted application", not necessarily malicious.
You can disable PUA checks by ensuring that your clamd configuration has
"DetectPUA" set to no.

For reference, the signature is looking for bitwise math on CharCodeAt()
operations in HTML files.

VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^


I created a bogus test file that matches the signature and, with default
configuration settings, it is not detected. But when I force PUA detection
to be on, it is detected.

lothlorien:~$ clamscan test.html
Loading:     6s, ETA:   0s [========================>]    8.62M/8.62M sigs

Compiling:   2s, ETA:   0s [========================>]       41/41 tasks

~/test.html: OK

----------- SCAN SUMMARY -----------
Known viruses: 8622174
Engine version: 0.105.0
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 9.865 sec (0 m 9 s)
Start Date: 2022:07:15 16:31:01
End Date:   2022:07:15 16:31:11

lothlorien:~$ clamscan --detect-pua=yes test.html
Loading:     6s, ETA:   0s [========================>]    8.64M/8.64M sigs

Compiling:   2s, ETA:   0s [========================>]       41/41 tasks

~/test.html: PUA.Win.Trojan.Xored-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8637594
Engine version: 0.105.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 9.614 sec (0 m 9 s)
Start Date: 2022:07:15 16:31:17
End Date:   2022:07:15 16:31:26

--Maarten

On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists at j4computers.com> wrote:

> Clamav is finding this:
>
> "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
> source I trust (well, it is a professional organization anyway).
>
> Is there any way to tell clamav not to run the check for this particular
> client and this particular "trojan"? Just not check for it at all?
>
> Or should I submit it as a "False positive" and hope it goes away?
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220715/f9024844/attachment.htm>

More information about the clamav-users mailing list