Thank you.  I believe I understand.

I was actually looking for a way to turn off checking for this
particular "PUA", hopefully just for this sender, while keeping PUA
checks still enabled for other cases.

In the past I've not had great success searching entirely on my own.

joe a.

On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> A "PUA" is a "potentially unwanted application", not necessarily
> malicious. You can disable PUA checks by ensuring that your clamd
> configuration has "DetectPUA" set to no.
>
> For reference, the signature is looking for bitwise math on CharCodeAt()
> operations in HTML files.
>
> VIRUS NAME: PUA.Win.Trojan.Xored-1
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>
>
> I created a bogus test file that matches the signature and, with default
> configuration settings, it is not detected. But when I force PUA
> detection to be on, it is detected.
>
> lothlorien:~$ clamscan test.html
> Loading:     6s, ETA:   0s [========================>]    8.62M/8.62M sigs
> Compiling:   2s, ETA:   0s [========================>]       41/41 tasks
>
> ~/test.html: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8622174
> Engine version: 0.105.0
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 9.865 sec (0 m 9 s)
> Start Date: 2022:07:15 16:31:01
> End Date:   2022:07:15 16:31:11
>
> lothlorien:~$ clamscan --detect-pua=yes test.html
> Loading:     6s, ETA:   0s [========================>]    8.64M/8.64M sigs
> Compiling:   2s, ETA:   0s [========================>]       41/41 tasks
>
> ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8637594
> Engine version: 0.105.0
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 9.614 sec (0 m 9 s)
> Start Date: 2022:07:15 16:31:17
> End Date:   2022:07:15 16:31:26
>
> --Maarten
>
> On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists@j4computers.com
> <mailto:joea-lists@j4computers.com>> wrote:
>
>     Clamav is finding this:
>
>     "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
>     source I trust (well, it is a professional organization anyway).
>
>     Is there any way to tell clamav not to run the check for this
>     particular
>     client and this particular "trojan"? Just not check for it at all?
>
>     Or should I submit it as a "False positive" and hope it goes away?
>
>
>     _______________________________________________
>
>     clamav-users mailing list
>     clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>     https://lists.clamav.net/mailman/listinfo/clamav-users
>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
>     Help us build a comprehensive ClamAV guide:
>     https://github.com/Cisco-Talos/clamav-documentation
>     <https://github.com/Cisco-Talos/clamav-documentation>
>
>     https://docs.clamav.net/#mailing-lists-and-chat
>     <https://docs.clamav.net/#mailing-lists-and-chat>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat