Thank you. I believe I understand.
I was actually looking for a way to turn off checking for this
particular "PUA", hopefully just for this sender, while keeping PUA
checks still enabled for other cases.
In the past I've not had great success searching entirely on my own.
joe a.
On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
A "PUA" is a "potentially unwanted application", not necessarily
malicious. You can disable PUA checks by ensuring that your clamd
configuration has "DetectPUA" set to no.
For reference, the signature is looking for bitwise math on CharCodeAt()
operations in HTML files.
VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
I created a bogus test file that matches the signature and, with default
configuration settings, it is not detected. But when I force PUA
detection to be on, it is detected.
lothlorien:~$ clamscan test.html
Loading: 6s, ETA: 0s [========================>] 8.62M/8.62M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
~/test.html: OK
----------- SCAN SUMMARY -----------
Known viruses: 8622174
Engine version: 0.105.0
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 9.865 sec (0 m 9 s)
Start Date: 2022:07:15 16:31:01
End Date: 2022:07:15 16:31:11
lothlorien:~$ clamscan --detect-pua=yes test.html
Loading: 6s, ETA: 0s [========================>] 8.64M/8.64M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
~/test.html: PUA.Win.Trojan.Xored-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8637594
Engine version: 0.105.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 9.614 sec (0 m 9 s)
Start Date: 2022:07:15 16:31:17
End Date: 2022:07:15 16:31:26
--Maarten
On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-li...@j4computers.com
<mailto:joea-li...@j4computers.com>> wrote:
Clamav is finding this:
"X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
source I trust (well, it is a professional organization anyway).
Is there any way to tell clamav not to run the check for this
particular
client and this particular "trojan"? Just not check for it at all?
Or should I submit it as a "False positive" and hope it goes away?
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users
<https://lists.clamav.net/mailman/listinfo/clamav-users>
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
<https://github.com/Cisco-Talos/clamav-documentation>
https://docs.clamav.net/#mailing-lists-and-chat
<https://docs.clamav.net/#mailing-lists-and-chat>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
