[clamav-users] PUA detected. False Positive?
joe a
joea-lists at j4computers.com
Sat Jul 16 20:02:57 UTC 2022
Apparently resolved by having *only* the signature name on the line.
joe a
On 7/16/2022 3:32 PM, joe a wrote:
> Does that include CR at the end of a line? Docs suggest multiple
> ignores in one file, each on it's own line. Did I misread? (not the
> first time)
>
> joe a
>
> On 7/16/2022 12:18 AM, Al Varnell via clamav-users wrote:
>> Yes, just make sure you don't have embedded spaces, carriage returns
>> or other invisible characters.
>>
>> -Al-
>> --
>> ClamXAV User
>>
>>> On Jul 15, 2022, at 8:43 PM, joe a <joea-lists at j4computers.com
>>> <mailto:joea-lists at j4computers.com>> wrote:
>>>
>>> That error was corrected, but now the error is "Malformed Database".
>>>
>>> Is it not a simple text string on a single line?
>>>
>>> joe a.
>>>
>>> On 7/15/2022 6:29 PM, joe a wrote:
>>>> My ignorance shows. Created file "/my_install_path/ignore_list.ign2"
>>>> and get this error:
>>>> "LibClamAV Error: cli_loadign: No signature name provided"
>>>> Is the signature name not "PUA.Win.Trojan.Xored-1"
>>>> joe a.
>>>> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>>>>> To turn it off entirely, you would create a file ending in .ign2
>>>>> and put the signature name in that file.
>>>>>
>>>>> I'm not sure there is a good way to do it only for that particular
>>>>> sender, unless you have a way to send those messages to a
>>>>> differently configured ClamAV setup. I don't do a lot of email
>>>>> scanning, so I'm not sure what the limitations are there.
>>>>>
>>>>> --Maarten
>>>>>
>>>>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists at j4computers.com
>>>>> <mailto:joea-lists at j4computers.com>
>>>>> <mailto:joea-lists at j4computers.com
>>>>> <mailto:joea-lists at j4computers.com>>> wrote:
>>>>>
>>>>> Thank you. I believe I understand.
>>>>>
>>>>> I was actually looking for a way to turn off checking for this
>>>>> particular "PUA", hopefully just for this sender, while keeping
>>>>> PUA
>>>>> checks still enabled for other cases.
>>>>>
>>>>> In the past I've not had great success searching entirely on my
>>>>> own.
>>>>>
>>>>> joe a.
>>>>>
>>>>> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>>>> > A "PUA" is a "potentially unwanted application", not
>>>>> necessarily
>>>>> > malicious. You can disable PUA checks by ensuring that your
>>>>> clamd
>>>>> > configuration has "DetectPUA" set to no.
>>>>> >
>>>>> > For reference, the signature is looking for bitwise math on
>>>>> CharCodeAt()
>>>>> > operations in HTML files.
>>>>> >
>>>>> > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>>>> > TARGET TYPE: HTML
>>>>> > OFFSET: *
>>>>> > DECODED SIGNATURE:
>>>>> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>>>> >
>>>>> >
>>>>> > I created a bogus test file that matches the signature and,
>>>>> with
>>>>> default
>>>>> > configuration settings, it is not detected. But when I force
>>>>> PUA
>>>>> > detection to be on, it is detected.
>>>>> >
>>>>> > lothlorien:~$ clamscan test.html
>>>>> > Loading: 6s, ETA: 0s [========================>]
>>>>> 8.62M/8.62M sigs
>>>>> > Compiling: 2s, ETA: 0s [========================>]
>>>>> 41/41 tasks
>>>>> >
>>>>> > ~/test.html: OK
>>>>> >
>>>>> > ----------- SCAN SUMMARY -----------
>>>>> > Known viruses: 8622174
>>>>> > Engine version: 0.105.0
>>>>> > Scanned directories: 0
>>>>> > Scanned files: 1
>>>>> > Infected files: 0
>>>>> > Data scanned: 0.00 MB
>>>>> > Data read: 0.00 MB (ratio 0.00:1)
>>>>> > Time: 9.865 sec (0 m 9 s)
>>>>> > Start Date: 2022:07:15 16:31:01
>>>>> > End Date: 2022:07:15 16:31:11
>>>>> >
>>>>> > lothlorien:~$ clamscan --detect-pua=yes test.html
>>>>> > Loading: 6s, ETA: 0s [========================>]
>>>>> 8.64M/8.64M sigs
>>>>> > Compiling: 2s, ETA: 0s [========================>]
>>>>> 41/41 tasks
>>>>> >
>>>>> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>>>> >
>>>>> > ----------- SCAN SUMMARY -----------
>>>>> > Known viruses: 8637594
>>>>> > Engine version: 0.105.0
>>>>> > Scanned directories: 0
>>>>> > Scanned files: 1
>>>>> > Infected files: 1
>>>>> > Data scanned: 0.00 MB
>>>>> > Data read: 0.00 MB (ratio 0.00:1)
>>>>> > Time: 9.614 sec (0 m 9 s)
>>>>> > Start Date: 2022:07:15 16:31:17
>>>>> > End Date: 2022:07:15 16:31:26
>>>>> >
>>>>> > --Maarten
>>>>> >
>>>>> > On Fri, Jul 15, 2022 at 4:02 PM joe a
>>>>> <joea-lists at j4computers.com <mailto:joea-lists at j4computers.com>
>>>>> <mailto:joea-lists at j4computers.com
>>>>> <mailto:joea-lists at j4computers.com>>
>>>>> > <mailto:joea-lists at j4computers.com
>>>>> <mailto:joea-lists at j4computers.com>
>>>>> <mailto:joea-lists at j4computers.com
>>>>> <mailto:joea-lists at j4computers.com>>>> wrote:
>>>>> >
>>>>> > Clamav is finding this:
>>>>> >
>>>>> > "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in
>>>>> emails
>>>>> from a
>>>>> > source I trust (well, it is a professional organization
>>>>> anyway).
>>>>> >
>>>>> > Is there any way to tell clamav not to run the check for
>>>>> this
>>>>> > particular
>>>>> > client and this particular "trojan"? Just not check for
>>>>> it at
>>>>> all?
>>>>> >
>>>>> > Or should I submit it as a "False positive" and hope it
>>>>> goes
>>>>> away?
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> >
>>>>> > clamav-users mailing list
>>>>> > clamav-users at lists.clamav.net
>>>>> <mailto:clamav-users at lists.clamav.net>
>>>>> <mailto:clamav-users at lists.clamav.net
>>>>> <mailto:clamav-users at lists.clamav.net>>
>>>>> <mailto:clamav-users at lists.clamav.net
>>>>> <mailto:clamav-users at lists.clamav.net>
>>>>> <mailto:clamav-users at lists.clamav.net
>>>>> <mailto:clamav-users at lists.clamav.net>>>
>>>>> > https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>> > <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>>
>>>>> >
>>>>> >
>>>>> > Help us build a comprehensive ClamAV guide:
>>>>> > https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>> <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>> > <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>> <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>>
>>>>> >
>>>>> > https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>> > <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>>
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> >
>>>>> > clamav-users mailing list
>>>>> > clamav-users at lists.clamav.net
>>>>> <mailto:clamav-users at lists.clamav.net>
>>>>> <mailto:clamav-users at lists.clamav.net
>>>>> <mailto:clamav-users at lists.clamav.net>>
>>>>> > https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>> >
>>>>> >
>>>>> > Help us build a comprehensive ClamAV guide:
>>>>> > https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>> <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>> >
>>>>> > https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>> _______________________________________________
>>>>>
>>>>> clamav-users mailing list
>>>>> clamav-users at lists.clamav.net
>>>>> <mailto:clamav-users at lists.clamav.net>
>>>>> <mailto:clamav-users at lists.clamav.net
>>>>> <mailto:clamav-users at lists.clamav.net>>
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>> <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>>
>>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> clamav-users mailing list
>>>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>>
>>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>> _______________________________________________
>>>> clamav-users mailing list
>>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>
>>
>> Powered by
>> *Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>*-
>> still your inbox, but smarter.
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
More information about the clamav-users
mailing list