That is a zip signature looking for double extension files. So, it is interesting that it is alerting on a .txt file, unless that is a zip file in disguise.
You can whitelist the signature by adding a whitelist.ign file to your ClamAV database directory (for me, the path is: /usr/local/share/clamav/). In that file put the signature names that you do not want alerting, one per line. This signature and the others published in their set look for common double extension tricks like your_document-pdf.exe. If that is truly a text file or you would like to have me take a look at it to see if the signature should be modified please submit it as an FP via http://www.clamav.net/fp. Thanks, Doug On Thu, Sep 4, 2014 at 11:23 AM, Mark Price <[email protected]> wrote: > In the past day we have had clamscan on several servers detect infected > files due to: PUA.Windows.DoubleExtension-zippwd-3 > > I've read the clamscan manpage but have not had any luck with getting the > "--detect-pua" option to work. Example: > > # clamscan --detect-pua=no ./sample-msg1.txt > ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 3515268 > Engine version: 0.98 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.05 MB (ratio 0.00:1) > Time: 9.402 sec (0 m 9 s) > > > In this case, is the infected file being detected by a PUA that I should be > able to disable with command line option? Or is "PUA" simply part of the > virus signature name? > > > Thanks, > > Mark > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
