ClamAV does not produce any such explanations. There is no requirement that the
same name be used for a given malware sample by all A-V scanners, so there is
no guarantee that the description you found at Symantec will match the infected
file you found. If the sample ClamAV received already has a name associated
with it and it does not conflict with a name already in the database, then it
can be the same.
About the best you can do is submit the file you found to VirusTotal to see
what it’s being called by other A-V scanners and look that name up. It might
be the same, but more often than not it will not be.
I can’t respond to your question about hacktool.crack.someprogram as I’ve never
run across one. PUA is normally labeled as such, but does not always seem to
be.
-Al-
On Thu, May 28, 2015 at 06:56AM, Steven Pine wrote:
Hi,
In a mostly OS X environment running gruntworks on client machines, clamav
scans are finding things like ‘hacktool.crack.someprogram’. Would this be
considered a PUA by the clamav team or is it just a naming convention for
something more malicious? More generally is there anywhere I could search the
tagged names and get a one line description of what clamav found. For example
another scan found ‘W97M.Thus.A’ and a quick google search gives a symantec
writeup: W97M.Thus.A is a simple macro virus that infects Word 97 documents.
It has a payload that triggers on December 13th which will try to delete all
files and subdirectories from the root of the C: drive. This virus will also
disable the macro virus protection in Word 97.”
Does clamav maintain anything similar?
Thanks for any help, and thanks for the great tool!
Steven
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
