The preferred, documented way to deal with a suspected False Positive here is to upload it to <http://www.clamav.net/reports/fp>, although in past years PUA submissions were not allowed, so I can’t predict how successful you will be.
ClamAV will always stop scanning after it finds the first infection, so there may be something about your quarantine process that is exposing attachment as separate files from the e-mail they were originally embedded in. That’s the only explanation I can come up with. Many, if not most users find that PUA detections are more trouble than they are worth and leave configuration "DetectPUA no”, which is the default setting. If you are being overwhelmed by such detections, that may be your best option. -Al- On Wed, Jun 29, 2016 at 06:53 AM, Alex wrote: > > Hi, > > It appears lately there are quite a few PUA.Win.Trojan.EmbeddedPDF-1 > false positives. Scanning these messages manually shortly after > they're quarantined doesn't find the same virus sig. In fact, many > times it doesn't specifically include a PDF, but instead a docx file. > > I was just wondering if there's something I should know about this > particular signature? > > Should I be able to scan a quarantined message in its entirety to > determine if it has a virus? Or do I need to split out the individual > doc/pdf components before scanning? I've done both, but was just > curious if it was necessary to save the individual attachments before > scanning. > > I can't easily send a sample, but I'd appreciate any help you may have to > offer. > > Thanks, > Alex
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
