I think the PUA version are just potentially unwanted things that exhibit
trojan-like behavior but aren't confirmed trojans.
As for the original question, it looks like it's only using the first part
of that to determine the group of PUAs to ignore.
These are the 'PUA' families (and associated signature counts).
82 Andr
181 Cert
4 Doc
2 Email
1 Embedded
34 Html
3 Java
2 Js
1 Osx
1 Packed
6 Pdf
1 Php
1 Rtf
1 Spy
1 Swf
1 Tool
542 Unix
5832 Win
Running clamscan --detect-pua=yes --exclude-pua=Pdf does indeed exclude the
6 PUA signatures for PUA.Pdf.*
Barring the addition of functionality to allow you specify sub-categories
on the command line, your best option would be to create a .ign2 file with
a list of all the packer signatures you want to ignore.
A command-line along the lines of this would generate it for you:
# sigtool --find-sigs PUA.Win.Packer | awk '/ PUA/ { print $NF } /:PUA/ {
print $NF }' | awk -F: '$1 ~ /PUA/ { print $1 } $NF ~ /PUA/ { print $NF }'
| awk -F\; '{ print $1 }' ><dbdir>/ignorelist.ign2
--Maarten
On Thu, May 30, 2019 at 5:36 PM Daniel Quintiliani via clamav-users <
[email protected]> wrote:
> Also, what is the difference between e.g. Win.Trojan and PUA.Win.Trojan?
> Why would a trojan be a PUA?
>
> --
>
> -Dan Q
>
> On Thu, 30 May 2019 17:02:08 -0400 (EDT), Daniel Quintiliani via
> clamav-users <[email protected]> wrote:
>
> > Hi,
> >
> > I'm trying to scan files for PUAs.
> > When you do that, you get a lot of packers show up.
> >
> > But when I type
> >
> > --detect-pua=yes --exclude-pua=Win.Packer
> >
> > it doesn't detect any PUAs at all (including PUA.Win.Malware etc).
> >
> > Am I typing something wrong or is this a bug?
> >
> > Running ClamAV v0.101.2 on Gentoo Linux.
> >
> > Also, I haven't used ClamAV in a while, but do you still auto-reject PUA
> from the false-positive form?
> >
> > Thank you!
> >
> > --
> >
> > -Dan Q
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > [email protected]
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> [email protected]
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
