Re: [clamav-users] Is Doc.Packed available as PUA category?

Thu, 14 Jan 2021 11:21:42 -0800 

 Toshiyuk,

Thank you for your interest and use of Clam AV.

The official Clam AV signature naming convention is
(PUA.)Platform.Category.Name-ID-Revision

Thus, "Packed" is a documented category and listed on the website you
linked.

Doc.Packed means the rule is intended to alert on Document files that use
some kind of runtime packer.

Other uses of the Packed category in the official signatures:
  14704 Win.Packed.
    154 Andr.Packed.
     53 Html.Packed.
     26 Txt.Packed.
     13 Email.Packed.
      7 Doc.Packed.
      3 Unix.Packed.
      2 Img.Packed.
      2 BC.Win.Packed.
      1 Swf.Packed.

That rule, PUA.Doc.Packed.EncryptedDoc-6563700-0, was created in response
to Encrypted Documents being emailed with passwords in the body.
A workaround, if you don't want to use the ExcludePUA that you mention, if
you or your customers need to email encrypted documents would be to place
the file in a password protected zip file before emailing.

On Wed, Jan 13, 2021 at 7:52 PM 本多 俊之 <t_ho...@dreamarts.co.jp> wrote:

> Hi there,
>
> I got an error due to clamav scanning when sending an Excel document where
> a password is set.
> The error was as follows:
> "wWDZCZvPwM-1.dat: PUA.Doc.Packed.EncryptedDoc-6563700-0 FOUND"
>
> I added the following line to clamd.conf to avoid the error, but it didn't
> work.
> "ExcludePUA Packed"
>
> So I changed the category to "Doc.Packed" and the error no longer occurs.
> "ExcludePUA Doc.Packed"
>
> I cannot find "Doc.Packed" in the official PUA categories:
> https://www.clamav.net/documents/potentially-unwanted-applications-pua
>
> Could you please let me know what is "Doc.Packed" category and whether it
> is available?
>
> Best regards,
> Toshiyuki Honda
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 

Matthew Molyett
Malware Researcher

mmoly...@cisco.com

Cisco.com - http://www.cisco.com

This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to