[clamav-users] PUA detected. False Positive?

joe a joea-lists at j4computers.com
Sat Jul 16 03:43:50 UTC 2022


That error was corrected, but now the error is "Malformed Database".

Is it not a simple text string on a single line?

joe a.

On 7/15/2022 6:29 PM, joe a wrote:
> My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and 
> get this error:
> 
> "LibClamAV Error: cli_loadign: No signature name provided"
> 
> Is the signature name not "PUA.Win.Trojan.Xored-1"
> 
> joe a.
> 
> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>> To turn it off entirely, you would create a file ending in .ign2 and 
>> put the signature name in that file.
>>
>> I'm not sure there is a good way to do it only for that particular 
>> sender, unless you have a way to send those messages to a differently 
>> configured ClamAV setup. I don't do a lot of email scanning, so I'm 
>> not sure what the limitations are there.
>>
>> --Maarten
>>
>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists at j4computers.com 
>> <mailto:joea-lists at j4computers.com>> wrote:
>>
>>     Thank you.  I believe I understand.
>>
>>     I was actually looking for a way to turn off checking for this
>>     particular "PUA", hopefully just for this sender, while keeping PUA
>>     checks still enabled for other cases.
>>
>>     In the past I've not had great success searching entirely on my own.
>>
>>     joe a.
>>
>>     On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>      > A "PUA" is a "potentially unwanted application", not necessarily
>>      > malicious. You can disable PUA checks by ensuring that your clamd
>>      > configuration has "DetectPUA" set to no.
>>      >
>>      > For reference, the signature is looking for bitwise math on
>>     CharCodeAt()
>>      > operations in HTML files.
>>      >
>>      > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>      > TARGET TYPE: HTML
>>      > OFFSET: *
>>      > DECODED SIGNATURE:
>>      > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>      >
>>      >
>>      > I created a bogus test file that matches the signature and, with
>>     default
>>      > configuration settings, it is not detected. But when I force PUA
>>      > detection to be on, it is detected.
>>      >
>>      > lothlorien:~$ clamscan test.html
>>      > Loading:     6s, ETA:   0s [========================>]      
>>  8.62M/8.62M sigs
>>      > Compiling:   2s, ETA:   0s [========================>]     
>> 41/41 tasks
>>      >
>>      > ~/test.html: OK
>>      >
>>      > ----------- SCAN SUMMARY -----------
>>      > Known viruses: 8622174
>>      > Engine version: 0.105.0
>>      > Scanned directories: 0
>>      > Scanned files: 1
>>      > Infected files: 0
>>      > Data scanned: 0.00 MB
>>      > Data read: 0.00 MB (ratio 0.00:1)
>>      > Time: 9.865 sec (0 m 9 s)
>>      > Start Date: 2022:07:15 16:31:01
>>      > End Date:   2022:07:15 16:31:11
>>      >
>>      > lothlorien:~$ clamscan --detect-pua=yes test.html
>>      > Loading:     6s, ETA:   0s [========================>]      
>>  8.64M/8.64M sigs
>>      > Compiling:   2s, ETA:   0s [========================>]     
>> 41/41 tasks
>>      >
>>      > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>      >
>>      > ----------- SCAN SUMMARY -----------
>>      > Known viruses: 8637594
>>      > Engine version: 0.105.0
>>      > Scanned directories: 0
>>      > Scanned files: 1
>>      > Infected files: 1
>>      > Data scanned: 0.00 MB
>>      > Data read: 0.00 MB (ratio 0.00:1)
>>      > Time: 9.614 sec (0 m 9 s)
>>      > Start Date: 2022:07:15 16:31:17
>>      > End Date:   2022:07:15 16:31:26
>>      >
>>      > --Maarten
>>      >
>>      > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists at j4computers.com
>>     <mailto:joea-lists at j4computers.com>
>>      > <mailto:joea-lists at j4computers.com
>>     <mailto:joea-lists at j4computers.com>>> wrote:
>>      >
>>      >     Clamav is finding this:
>>      >
>>      >     "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
>>     from a
>>      >     source I trust (well, it is a professional organization 
>> anyway).
>>      >
>>      >     Is there any way to tell clamav not to run the check for this
>>      >     particular
>>      >     client and this particular "trojan"? Just not check for it at
>>     all?
>>      >
>>      >     Or should I submit it as a "False positive" and hope it goes
>>     away?
>>      >
>>      >
>>      >     _______________________________________________
>>      >
>>      >     clamav-users mailing list
>>      > clamav-users at lists.clamav.net
>>     <mailto:clamav-users at lists.clamav.net>
>>     <mailto:clamav-users at lists.clamav.net
>>     <mailto:clamav-users at lists.clamav.net>>
>>      > https://lists.clamav.net/mailman/listinfo/clamav-users
>>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>      >     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>     <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>      >
>>      >
>>      >     Help us build a comprehensive ClamAV guide:
>>      > https://github.com/Cisco-Talos/clamav-documentation
>>     <https://github.com/Cisco-Talos/clamav-documentation>
>>      >     <https://github.com/Cisco-Talos/clamav-documentation
>>     <https://github.com/Cisco-Talos/clamav-documentation>>
>>      >
>>      > https://docs.clamav.net/#mailing-lists-and-chat
>>     <https://docs.clamav.net/#mailing-lists-and-chat>
>>      >     <https://docs.clamav.net/#mailing-lists-and-chat
>>     <https://docs.clamav.net/#mailing-lists-and-chat>>
>>      >
>>      >
>>      > _______________________________________________
>>      >
>>      > clamav-users mailing list
>>      > clamav-users at lists.clamav.net 
>> <mailto:clamav-users at lists.clamav.net>
>>      > https://lists.clamav.net/mailman/listinfo/clamav-users
>>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>      >
>>      >
>>      > Help us build a comprehensive ClamAV guide:
>>      > https://github.com/Cisco-Talos/clamav-documentation
>>     <https://github.com/Cisco-Talos/clamav-documentation>
>>      >
>>      > https://docs.clamav.net/#mailing-lists-and-chat
>>     <https://docs.clamav.net/#mailing-lists-and-chat>
>>     _______________________________________________
>>
>>     clamav-users mailing list
>>     clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>     https://lists.clamav.net/mailman/listinfo/clamav-users
>>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>
>>
>>     Help us build a comprehensive ClamAV guide:
>>     https://github.com/Cisco-Talos/clamav-documentation
>>     <https://github.com/Cisco-Talos/clamav-documentation>
>>
>>     https://docs.clamav.net/#mailing-lists-and-chat
>>     <https://docs.clamav.net/#mailing-lists-and-chat>
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat


More information about the clamav-users mailing list