Hello, Le mardi 25 mars 2008 03:28, Dennis Peterson a écrit : > DetectPUA is an abbreviation for "Detect Possibly Unwanted > Applications". This is a method of detection that does not use > patterns, but rather analyzes the scanned data and makes some > decisions about its nature. This is not unlike trying to predict the > weather based on previous weather samples and it may or may not work. > I consider it a work in progress but not something that is ready to > use on the corporate mail system.
Just a not about DetectPUA setting : The PUAs are being detected based on pattern. You can find patterns by doing : grep PUA daily.ndu grep PUA daily.mdu This is not a work in progress. It is not "may or may not work". This is very reliable detection of possible unwanted software based on the same technologies of malware detection. It can be used in production environment. Here a short list of PUAs : EXE packers Remote admin tools/VNC Hacking tools Network tools Keyloggers/Monitoring Password recovery tools etc... All the softwares detected as PUAs can be used on a regular way, or a hacking way. It depends to you to decide if PUAs are OK to be used in your computer network. For example : if you are a system admin or a network admin, you probably need to use software such as network sniffer or password recovery or remote admin. In that case, Clamav should *not* detect these tools as possibly unwanted. PUA should be disable. But in the case of web hosting servers, this could be interesting to detect if a hacker drops a network sniffer or IRC server on the disk of your webserver. In that case PUA should be enable. PUA setting should suit the computer security politics of your company. -- Cordialement / Best regards, Arnaud Jacques Consultant Sécurité SecuriteInfo.com http://www.securiteinfo.com http://www.securiteinfo.net http://www.securiteinfo.fr _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
