[clamav-users] PUA detected. False Positive?
joe a
joea-lists at j4computers.com
Fri Jul 15 22:29:05 UTC 2022
My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and
get this error:
"LibClamAV Error: cli_loadign: No signature name provided"
Is the signature name not "PUA.Win.Trojan.Xored-1"
joe a.
On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
> To turn it off entirely, you would create a file ending in .ign2 and put
> the signature name in that file.
>
> I'm not sure there is a good way to do it only for that particular
> sender, unless you have a way to send those messages to a differently
> configured ClamAV setup. I don't do a lot of email scanning, so I'm not
> sure what the limitations are there.
>
> --Maarten
>
> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists at j4computers.com
> <mailto:joea-lists at j4computers.com>> wrote:
>
> Thank you. I believe I understand.
>
> I was actually looking for a way to turn off checking for this
> particular "PUA", hopefully just for this sender, while keeping PUA
> checks still enabled for other cases.
>
> In the past I've not had great success searching entirely on my own.
>
> joe a.
>
> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> > A "PUA" is a "potentially unwanted application", not necessarily
> > malicious. You can disable PUA checks by ensuring that your clamd
> > configuration has "DetectPUA" set to no.
> >
> > For reference, the signature is looking for bitwise math on
> CharCodeAt()
> > operations in HTML files.
> >
> > VIRUS NAME: PUA.Win.Trojan.Xored-1
> > TARGET TYPE: HTML
> > OFFSET: *
> > DECODED SIGNATURE:
> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
> >
> >
> > I created a bogus test file that matches the signature and, with
> default
> > configuration settings, it is not detected. But when I force PUA
> > detection to be on, it is detected.
> >
> > lothlorien:~$ clamscan test.html
> > Loading: 6s, ETA: 0s [========================>]
> 8.62M/8.62M sigs
> > Compiling: 2s, ETA: 0s [========================>]
> 41/41 tasks
> >
> > ~/test.html: OK
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 8622174
> > Engine version: 0.105.0
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 0.00 MB
> > Data read: 0.00 MB (ratio 0.00:1)
> > Time: 9.865 sec (0 m 9 s)
> > Start Date: 2022:07:15 16:31:01
> > End Date: 2022:07:15 16:31:11
> >
> > lothlorien:~$ clamscan --detect-pua=yes test.html
> > Loading: 6s, ETA: 0s [========================>]
> 8.64M/8.64M sigs
> > Compiling: 2s, ETA: 0s [========================>]
> 41/41 tasks
> >
> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 8637594
> > Engine version: 0.105.0
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 1
> > Data scanned: 0.00 MB
> > Data read: 0.00 MB (ratio 0.00:1)
> > Time: 9.614 sec (0 m 9 s)
> > Start Date: 2022:07:15 16:31:17
> > End Date: 2022:07:15 16:31:26
> >
> > --Maarten
> >
> > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists at j4computers.com
> <mailto:joea-lists at j4computers.com>
> > <mailto:joea-lists at j4computers.com
> <mailto:joea-lists at j4computers.com>>> wrote:
> >
> > Clamav is finding this:
> >
> > "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
> from a
> > source I trust (well, it is a professional organization anyway).
> >
> > Is there any way to tell clamav not to run the check for this
> > particular
> > client and this particular "trojan"? Just not check for it at
> all?
> >
> > Or should I submit it as a "False positive" and hope it goes
> away?
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> <mailto:clamav-users at lists.clamav.net>
> <mailto:clamav-users at lists.clamav.net
> <mailto:clamav-users at lists.clamav.net>>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > <https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>
> > <https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>>
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>
> > <https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>
>
> https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
More information about the clamav-users
mailing list