On Tue, Sep 01, 2015 at 07:01 PM, aklist wrote: > > On 9/1/2015 8:28 PM, Al Varnell wrote: >> Let me start by saying that I don’t recall an engine update ever flagging >> less files as infected. If anything, they would enable even more signatures >> to identify more files, so I’m confident that PUA.Script.PDF.EmbeddedJS-1 >> would work exactly the same with today’s engine. >> >> But more importantly is the conclusion that this is a False Positive. >> Potentially Unwanted Application / Process (PUA/PUP) detections are almost >> never False Positives (although I did verify one once a few years ago). In >> this case the signature would appear to have identified a PDF document that >> contains javascript. That’s all it’s warning you about. If that’s what you >> expected from this document then ignore it and get on with your work. If >> you are surprised by such a thing, then perhaps you should take another look >> at it to see what it does and if it could be malicious. >> >> Of course, chances are extremely high that even a malicious javascript would >> be Windows based and no threat to a Mac, but that’s probably beside the >> point. > > Thanks Al for that information. The machine that detected it is a mailserver, > and the final recipient would have been a Windows machine.
I should have guessed that as I knew you wouldn’t have an older version of the engine unless you were running Snow Leopard server. > The only references to it being a false positive are several years old, and > since this version of ClamAV is from a similar "vintage" I wanted to make > sure that the signature hadn't been deemed "not a threat" in later versions > of ClamAV. No, the signature database is maintained independently of the engine, so any whitelisting would have been to the database which is common to all supported engines. -Al- > On Tue, Sep 01, 2015 at 03:37 PM, aklist wrote: >>> >>> Hi All: A PDF attachment to an email was scanned by clamAV and found to >>> have the following virus: PUA.Script.PDF.EmbeddedJS-1 >>> >>> I googled around on this and found some reports that it's a false positive. >>> I'm still running 0.96.1 on MacOS 10.6.8, and I realize that it is out of >>> date, but I was curious if later versions of clamAV would also flag this >>> virus?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
