Are you certain that it is actually from CERT from the header information or is that just the "From: " address which can easily be faked? You can determine a lot from submitting the e-mail raw source to <https://www.spamcop.net>.
Signature details:
sigtool -fPUA.Win.Trojan.Xored-1|sigtool --decode-sigs
VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
I can't seem to find when the signature was added, but a Google search shows it
being discussed as far back as April 2016.
If, after examination, you still feel it's a False Positive, submit it (or the
attachment) to <http://www.clamav.net/reports/fp> and return here with a hash
value of whatever you submitted.
PUA indicates "Potentially Unwanted Application" which indicates non-malware
and makes it more difficult to identify as a False Positive. Win makes it
Windows Only.
-Al-
On Fri, Oct 20, 2017 at 08:30 PM, kristen R wrote:
> List,
>
> I just received an email from ncas.us-cert.gov that was caught by clamd
> reporting PUA.Win.Trojan.Xored-1 signature. This email is from the US
> Department of Homeland Security.
>
> I suppose this is a case of a false positive. How does one find the
> string triggering this event that I might know and report this as a
> false positive?
>
> Kristen
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
