[clamav-users] PUA detected. False Positive?
joe a
joea-lists at j4computers.com
Sat Jul 16 19:32:24 UTC 2022
Does that include CR at the end of a line? Docs suggest multiple
ignores in one file, each on it's own line. Did I misread? (not the
first time)
joe a
On 7/16/2022 12:18 AM, Al Varnell via clamav-users wrote:
> Yes, just make sure you don't have embedded spaces, carriage returns or
> other invisible characters.
>
> -Al-
> --
> ClamXAV User
>
>> On Jul 15, 2022, at 8:43 PM, joe a <joea-lists at j4computers.com
>> <mailto:joea-lists at j4computers.com>> wrote:
>>
>> That error was corrected, but now the error is "Malformed Database".
>>
>> Is it not a simple text string on a single line?
>>
>> joe a.
>>
>> On 7/15/2022 6:29 PM, joe a wrote:
>>> My ignorance shows. Created file "/my_install_path/ignore_list.ign2"
>>> and get this error:
>>> "LibClamAV Error: cli_loadign: No signature name provided"
>>> Is the signature name not "PUA.Win.Trojan.Xored-1"
>>> joe a.
>>> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>>>> To turn it off entirely, you would create a file ending in .ign2 and
>>>> put the signature name in that file.
>>>>
>>>> I'm not sure there is a good way to do it only for that particular
>>>> sender, unless you have a way to send those messages to a
>>>> differently configured ClamAV setup. I don't do a lot of email
>>>> scanning, so I'm not sure what the limitations are there.
>>>>
>>>> --Maarten
>>>>
>>>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists at j4computers.com
>>>> <mailto:joea-lists at j4computers.com>
>>>> <mailto:joea-lists at j4computers.com
>>>> <mailto:joea-lists at j4computers.com>>> wrote:
>>>>
>>>> Thank you. I believe I understand.
>>>>
>>>> I was actually looking for a way to turn off checking for this
>>>> particular "PUA", hopefully just for this sender, while keeping PUA
>>>> checks still enabled for other cases.
>>>>
>>>> In the past I've not had great success searching entirely on my own.
>>>>
>>>> joe a.
>>>>
>>>> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>>> > A "PUA" is a "potentially unwanted application", not necessarily
>>>> > malicious. You can disable PUA checks by ensuring that your clamd
>>>> > configuration has "DetectPUA" set to no.
>>>> >
>>>> > For reference, the signature is looking for bitwise math on
>>>> CharCodeAt()
>>>> > operations in HTML files.
>>>> >
>>>> > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>>> > TARGET TYPE: HTML
>>>> > OFFSET: *
>>>> > DECODED SIGNATURE:
>>>> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>>> >
>>>> >
>>>> > I created a bogus test file that matches the signature and, with
>>>> default
>>>> > configuration settings, it is not detected. But when I force PUA
>>>> > detection to be on, it is detected.
>>>> >
>>>> > lothlorien:~$ clamscan test.html
>>>> > Loading: 6s, ETA: 0s [========================>]
>>>> 8.62M/8.62M sigs
>>>> > Compiling: 2s, ETA: 0s [========================>]
>>>> 41/41 tasks
>>>> >
>>>> > ~/test.html: OK
>>>> >
>>>> > ----------- SCAN SUMMARY -----------
>>>> > Known viruses: 8622174
>>>> > Engine version: 0.105.0
>>>> > Scanned directories: 0
>>>> > Scanned files: 1
>>>> > Infected files: 0
>>>> > Data scanned: 0.00 MB
>>>> > Data read: 0.00 MB (ratio 0.00:1)
>>>> > Time: 9.865 sec (0 m 9 s)
>>>> > Start Date: 2022:07:15 16:31:01
>>>> > End Date: 2022:07:15 16:31:11
>>>> >
>>>> > lothlorien:~$ clamscan --detect-pua=yes test.html
>>>> > Loading: 6s, ETA: 0s [========================>]
>>>> 8.64M/8.64M sigs
>>>> > Compiling: 2s, ETA: 0s [========================>]
>>>> 41/41 tasks
>>>> >
>>>> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>>> >
>>>> > ----------- SCAN SUMMARY -----------
>>>> > Known viruses: 8637594
>>>> > Engine version: 0.105.0
>>>> > Scanned directories: 0
>>>> > Scanned files: 1
>>>> > Infected files: 1
>>>> > Data scanned: 0.00 MB
>>>> > Data read: 0.00 MB (ratio 0.00:1)
>>>> > Time: 9.614 sec (0 m 9 s)
>>>> > Start Date: 2022:07:15 16:31:17
>>>> > End Date: 2022:07:15 16:31:26
>>>> >
>>>> > --Maarten
>>>> >
>>>> > On Fri, Jul 15, 2022 at 4:02 PM joe a
>>>> <joea-lists at j4computers.com <mailto:joea-lists at j4computers.com>
>>>> <mailto:joea-lists at j4computers.com
>>>> <mailto:joea-lists at j4computers.com>>
>>>> > <mailto:joea-lists at j4computers.com
>>>> <mailto:joea-lists at j4computers.com>
>>>> <mailto:joea-lists at j4computers.com
>>>> <mailto:joea-lists at j4computers.com>>>> wrote:
>>>> >
>>>> > Clamav is finding this:
>>>> >
>>>> > "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
>>>> from a
>>>> > source I trust (well, it is a professional organization
>>>> anyway).
>>>> >
>>>> > Is there any way to tell clamav not to run the check for this
>>>> > particular
>>>> > client and this particular "trojan"? Just not check for it at
>>>> all?
>>>> >
>>>> > Or should I submit it as a "False positive" and hope it goes
>>>> away?
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> >
>>>> > clamav-users mailing list
>>>> > clamav-users at lists.clamav.net
>>>> <mailto:clamav-users at lists.clamav.net>
>>>> <mailto:clamav-users at lists.clamav.net
>>>> <mailto:clamav-users at lists.clamav.net>>
>>>> <mailto:clamav-users at lists.clamav.net
>>>> <mailto:clamav-users at lists.clamav.net>
>>>> <mailto:clamav-users at lists.clamav.net
>>>> <mailto:clamav-users at lists.clamav.net>>>
>>>> > https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>> > <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>>
>>>> >
>>>> >
>>>> > Help us build a comprehensive ClamAV guide:
>>>> > https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>> <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>> > <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>> <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>>>
>>>> >
>>>> > https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>> <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>> > <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>> <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>>
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> >
>>>> > clamav-users mailing list
>>>> > clamav-users at lists.clamav.net
>>>> <mailto:clamav-users at lists.clamav.net>
>>>> <mailto:clamav-users at lists.clamav.net
>>>> <mailto:clamav-users at lists.clamav.net>>
>>>> > https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>> >
>>>> >
>>>> > Help us build a comprehensive ClamAV guide:
>>>> > https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>> <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>> >
>>>> > https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>> <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>> _______________________________________________
>>>>
>>>> clamav-users mailing list
>>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>>> <mailto:clamav-users at lists.clamav.net
>>>> <mailto:clamav-users at lists.clamav.net>>
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>> <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>> <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>
>>>>
>>>> _______________________________________________
>>>>
>>>> clamav-users mailing list
>>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>> https://docs.clamav.net/#mailing-lists-and-chat
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>
>
> Powered by
> *Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>*-
> still your inbox, but smarter.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
More information about the clamav-users
mailing list