[clamav-users] PUA detected. False Positive?
Al Varnell
alvarnell at mac.com
Sat Jul 16 04:18:09 UTC 2022
Yes, just make sure you don't have embedded spaces, carriage returns or other invisible characters.
-Al-
--
ClamXAV User
> On Jul 15, 2022, at 8:43 PM, joe a <joea-lists at j4computers.com> wrote:
>
> That error was corrected, but now the error is "Malformed Database".
>
> Is it not a simple text string on a single line?
>
> joe a.
>
> On 7/15/2022 6:29 PM, joe a wrote:
>> My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and get this error:
>> "LibClamAV Error: cli_loadign: No signature name provided"
>> Is the signature name not "PUA.Win.Trojan.Xored-1"
>> joe a.
>> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>>> To turn it off entirely, you would create a file ending in .ign2 and put the signature name in that file.
>>>
>>> I'm not sure there is a good way to do it only for that particular sender, unless you have a way to send those messages to a differently configured ClamAV setup. I don't do a lot of email scanning, so I'm not sure what the limitations are there.
>>>
>>> --Maarten
>>>
>>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists at j4computers.com <mailto:joea-lists at j4computers.com>> wrote:
>>>
>>> Thank you. I believe I understand.
>>>
>>> I was actually looking for a way to turn off checking for this
>>> particular "PUA", hopefully just for this sender, while keeping PUA
>>> checks still enabled for other cases.
>>>
>>> In the past I've not had great success searching entirely on my own.
>>>
>>> joe a.
>>>
>>> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>> > A "PUA" is a "potentially unwanted application", not necessarily
>>> > malicious. You can disable PUA checks by ensuring that your clamd
>>> > configuration has "DetectPUA" set to no.
>>> >
>>> > For reference, the signature is looking for bitwise math on
>>> CharCodeAt()
>>> > operations in HTML files.
>>> >
>>> > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>> > TARGET TYPE: HTML
>>> > OFFSET: *
>>> > DECODED SIGNATURE:
>>> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>> >
>>> >
>>> > I created a bogus test file that matches the signature and, with
>>> default
>>> > configuration settings, it is not detected. But when I force PUA
>>> > detection to be on, it is detected.
>>> >
>>> > lothlorien:~$ clamscan test.html
>>> > Loading: 6s, ETA: 0s [========================>] 8.62M/8.62M sigs
>>> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
>>> >
>>> > ~/test.html: OK
>>> >
>>> > ----------- SCAN SUMMARY -----------
>>> > Known viruses: 8622174
>>> > Engine version: 0.105.0
>>> > Scanned directories: 0
>>> > Scanned files: 1
>>> > Infected files: 0
>>> > Data scanned: 0.00 MB
>>> > Data read: 0.00 MB (ratio 0.00:1)
>>> > Time: 9.865 sec (0 m 9 s)
>>> > Start Date: 2022:07:15 16:31:01
>>> > End Date: 2022:07:15 16:31:11
>>> >
>>> > lothlorien:~$ clamscan --detect-pua=yes test.html
>>> > Loading: 6s, ETA: 0s [========================>] 8.64M/8.64M sigs
>>> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
>>> >
>>> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>> >
>>> > ----------- SCAN SUMMARY -----------
>>> > Known viruses: 8637594
>>> > Engine version: 0.105.0
>>> > Scanned directories: 0
>>> > Scanned files: 1
>>> > Infected files: 1
>>> > Data scanned: 0.00 MB
>>> > Data read: 0.00 MB (ratio 0.00:1)
>>> > Time: 9.614 sec (0 m 9 s)
>>> > Start Date: 2022:07:15 16:31:17
>>> > End Date: 2022:07:15 16:31:26
>>> >
>>> > --Maarten
>>> >
>>> > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists at j4computers.com
>>> <mailto:joea-lists at j4computers.com>
>>> > <mailto:joea-lists at j4computers.com
>>> <mailto:joea-lists at j4computers.com>>> wrote:
>>> >
>>> > Clamav is finding this:
>>> >
>>> > "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
>>> from a
>>> > source I trust (well, it is a professional organization anyway).
>>> >
>>> > Is there any way to tell clamav not to run the check for this
>>> > particular
>>> > client and this particular "trojan"? Just not check for it at
>>> all?
>>> >
>>> > Or should I submit it as a "False positive" and hope it goes
>>> away?
>>> >
>>> >
>>> > _______________________________________________
>>> >
>>> > clamav-users mailing list
>>> > clamav-users at lists.clamav.net
>>> <mailto:clamav-users at lists.clamav.net>
>>> <mailto:clamav-users at lists.clamav.net
>>> <mailto:clamav-users at lists.clamav.net>>
>>> > https://lists.clamav.net/mailman/listinfo/clamav-users
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>> > <https://lists.clamav.net/mailman/listinfo/clamav-users
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>> >
>>> >
>>> > Help us build a comprehensive ClamAV guide:
>>> > https://github.com/Cisco-Talos/clamav-documentation
>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>> > <https://github.com/Cisco-Talos/clamav-documentation
>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>> >
>>> > https://docs.clamav.net/#mailing-lists-and-chat
>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>> > <https://docs.clamav.net/#mailing-lists-and-chat
>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>> >
>>> >
>>> > _______________________________________________
>>> >
>>> > clamav-users mailing list
>>> > clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>> > https://lists.clamav.net/mailman/listinfo/clamav-users
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>> >
>>> >
>>> > Help us build a comprehensive ClamAV guide:
>>> > https://github.com/Cisco-Talos/clamav-documentation
>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>> >
>>> > https://docs.clamav.net/#mailing-lists-and-chat
>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>> https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220715/c4d753ec/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220715/c4d753ec/attachment.bin>
More information about the clamav-users
mailing list