ClamAV does not produce any such explanations. There is no requirement that the same name be used for a given malware sample by all A-V scanners, so there is no guarantee that the description you found at Symantec will match the infected file you found. If the sample ClamAV received already has a name associated with it and it does not conflict with a name already in the database, then it can be the same.
About the best you can do is submit the file you found to VirusTotal to see what it’s being called by other A-V scanners and look that name up. It might be the same, but more often than not it will not be. I can’t respond to your question about hacktool.crack.someprogram as I’ve never run across one. PUA is normally labeled as such, but does not always seem to be. -Al- On Thu, May 28, 2015 at 06:56AM, Steven Pine wrote: > > Hi, > > In a mostly OS X environment running gruntworks on client machines, clamav > scans are finding things like ‘hacktool.crack.someprogram’. Would this be > considered a PUA by the clamav team or is it just a naming convention for > something more malicious? More generally is there anywhere I could search the > tagged names and get a one line description of what clamav found. For example > another scan found ‘W97M.Thus.A’ and a quick google search gives a symantec > writeup: "W97M.Thus.A is a simple macro virus that infects Word 97 documents. > It has a payload that triggers on December 13th which will try to delete all > files and subdirectories from the root of the C: drive. This virus will also > disable the macro virus protection in Word 97.” > > Does clamav maintain anything similar? > > Thanks for any help, and thanks for the great tool! > > Steven _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
