Thank you for catching that. PUA is not supported for this signature type, I will drop the signature and rename it to avoid the confusion of the incorrect PUA label. You'll need to whitelist the new name when that appears in a next day or so.
Sorry for the inconvenience, Doug On Thu, Sep 4, 2014 at 11:45 AM, Douglas Goddard <[email protected]> wrote: > I'm looking into the PUA issue and will follow up about that. > > > On Thu, Sep 4, 2014 at 11:43 AM, Douglas Goddard <[email protected]> > wrote: > >> That is a zip signature looking for double extension files. So, it is >> interesting that it is alerting on a .txt file, unless that is a zip file >> in disguise. >> >> You can whitelist the signature by adding a whitelist.ign file to your >> ClamAV database directory (for me, the path is: /usr/local/share/clamav/). >> In that file put the signature names that you do not want alerting, one per >> line. >> >> This signature and the others published in their set look for common >> double extension tricks like your_document-pdf.exe. >> >> If that is truly a text file or you would like to have me take a look at >> it to see if the signature should be modified please submit it as an FP via >> http://www.clamav.net/fp. >> >> Thanks, >> Doug >> >> >> On Thu, Sep 4, 2014 at 11:23 AM, Mark Price <[email protected]> wrote: >> >>> In the past day we have had clamscan on several servers detect infected >>> files due to: PUA.Windows.DoubleExtension-zippwd-3 >>> >>> I've read the clamscan manpage but have not had any luck with getting the >>> "--detect-pua" option to work. Example: >>> >>> # clamscan --detect-pua=no ./sample-msg1.txt >>> ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND >>> >>> ----------- SCAN SUMMARY ----------- >>> Known viruses: 3515268 >>> Engine version: 0.98 >>> Scanned directories: 0 >>> Scanned files: 1 >>> Infected files: 1 >>> Data scanned: 0.00 MB >>> Data read: 0.05 MB (ratio 0.00:1) >>> Time: 9.402 sec (0 m 9 s) >>> >>> >>> In this case, is the infected file being detected by a PUA that I should >>> be >>> able to disable with command line option? Or is "PUA" simply part of the >>> virus signature name? >>> >>> >>> Thanks, >>> >>> Mark >>> _______________________________________________ >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
