A "PUA" is a "potentially unwanted application", not necessarily malicious.
You can disable PUA checks by ensuring that your clamd configuration has
"DetectPUA" set to no.
For reference, the signature is looking for bitwise math on CharCodeAt()
operations in HTML files.
VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
I created a bogus test file that matches the signature and, with default
configuration settings, it is not detected. But when I force PUA detection
to be on, it is detected.
lothlorien:~$ clamscan test.html
Loading: 6s, ETA: 0s [========================>] 8.62M/8.62M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
~/test.html: OK
----------- SCAN SUMMARY -----------
Known viruses: 8622174
Engine version: 0.105.0
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 9.865 sec (0 m 9 s)
Start Date: 2022:07:15 16:31:01
End Date: 2022:07:15 16:31:11
lothlorien:~$ clamscan --detect-pua=yes test.html
Loading: 6s, ETA: 0s [========================>] 8.64M/8.64M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
~/test.html: PUA.Win.Trojan.Xored-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8637594
Engine version: 0.105.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 9.614 sec (0 m 9 s)
Start Date: 2022:07:15 16:31:17
End Date: 2022:07:15 16:31:26
--Maarten
On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-li...@j4computers.com> wrote:
> Clamav is finding this:
>
> "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
> source I trust (well, it is a professional organization anyway).
>
> Is there any way to tell clamav not to run the check for this particular
> client and this particular "trojan"? Just not check for it at all?
>
> Or should I submit it as a "False positive" and hope it goes away?
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
