Re: [clamav-users] PUA detected. False Positive?

Al Varnell via clamav-users Sat, 16 Jul 2022 16:18:19 -0700

I see you figured it out, but just to close this out...

As long as there is another entry on the next line, the a CR is OK. In your 
case ClamAV was looking for a second entry and not finding one it assumed 
malformation.


Sent from my iPad

-Al-
-- 
ClamXAV User

On Jul 16, 2022, at 12:32, joe a <joea-li...@j4computers.com> wrote:
> Does that include CR at the end of a line?   Docs suggest multiple ignores 
> in one file, each on it's own line.   Did I misread? (not the first time)
> 
> joe a
> 
>> On 7/16/2022 12:18 AM, Al Varnell via clamav-users wrote:
>> Yes, just make sure you don't have embedded spaces, carriage returns or 
>> other invisible characters.
>> -Al-
>> -- 
>> ClamXAV User
>>>> On Jul 15, 2022, at 8:43 PM, joe a <joea-li...@j4computers.com 
>>>> <mailto:joea-li...@j4computers.com>> wrote:
>>> 
>>> That error was corrected, but now the error is "Malformed Database".
>>> 
>>> Is it not a simple text string on a single line?
>>> 
>>> joe a.
>>> 
>>> On 7/15/2022 6:29 PM, joe a wrote:
>>>> My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and 
>>>> get this error:
>>>> "LibClamAV Error: cli_loadign: No signature name provided"
>>>> Is the signature name not "PUA.Win.Trojan.Xored-1"
>>>> joe a.
>>>> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>>>>> To turn it off entirely, you would create a file ending in .ign2 and put 
>>>>> the signature name in that file.
>>>>> 
>>>>> I'm not sure there is a good way to do it only for that particular 
>>>>> sender, unless you have a way to send those messages to a differently 
>>>>> configured ClamAV setup. I don't do a lot of email scanning, so I'm not 
>>>>> sure what the limitations are there.
>>>>> 
>>>>> --Maarten
>>>>> 
>>>>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-li...@j4computers.com 
>>>>> <mailto:joea-li...@j4computers.com> <mailto:joea-li...@j4computers.com 
>>>>> <mailto:joea-li...@j4computers.com>>> wrote:
>>>>> 
>>>>>     Thank you.  I believe I understand.
>>>>> 
>>>>>     I was actually looking for a way to turn off checking for this
>>>>>     particular "PUA", hopefully just for this sender, while keeping PUA
>>>>>     checks still enabled for other cases.
>>>>> 
>>>>>     In the past I've not had great success searching entirely on my own.
>>>>> 
>>>>>     joe a.
>>>>> 
>>>>>     On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>>>>      > A "PUA" is a "potentially unwanted application", not necessarily
>>>>>      > malicious. You can disable PUA checks by ensuring that your clamd
>>>>>      > configuration has "DetectPUA" set to no.
>>>>>      >
>>>>>      > For reference, the signature is looking for bitwise math on
>>>>>     CharCodeAt()
>>>>>      > operations in HTML files.
>>>>>      >
>>>>>      > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>>>>      > TARGET TYPE: HTML
>>>>>      > OFFSET: *
>>>>>      > DECODED SIGNATURE:
>>>>>      > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>>>>      >
>>>>>      >
>>>>>      > I created a bogus test file that matches the signature and, with
>>>>>     default
>>>>>      > configuration settings, it is not detected. But when I force PUA
>>>>>      > detection to be on, it is detected.
>>>>>      >
>>>>>      > lothlorien:~$ clamscan test.html
>>>>>      > Loading:     6s, ETA:   0s [========================>]       
>>>>> 8.62M/8.62M sigs
>>>>>      > Compiling:   2s, ETA:   0s [========================>]     41/41 
>>>>> tasks
>>>>>      >
>>>>>      > ~/test.html: OK
>>>>>      >
>>>>>      > ----------- SCAN SUMMARY -----------
>>>>>      > Known viruses: 8622174
>>>>>      > Engine version: 0.105.0
>>>>>      > Scanned directories: 0
>>>>>      > Scanned files: 1
>>>>>      > Infected files: 0
>>>>>      > Data scanned: 0.00 MB
>>>>>      > Data read: 0.00 MB (ratio 0.00:1)
>>>>>      > Time: 9.865 sec (0 m 9 s)
>>>>>      > Start Date: 2022:07:15 16:31:01
>>>>>      > End Date:   2022:07:15 16:31:11
>>>>>      >
>>>>>      > lothlorien:~$ clamscan --detect-pua=yes test.html
>>>>>      > Loading:     6s, ETA:   0s [========================>]       
>>>>> 8.64M/8.64M sigs
>>>>>      > Compiling:   2s, ETA:   0s [========================>]     41/41 
>>>>> tasks
>>>>>      >
>>>>>      > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>>>>      >
>>>>>      > ----------- SCAN SUMMARY -----------
>>>>>      > Known viruses: 8637594
>>>>>      > Engine version: 0.105.0
>>>>>      > Scanned directories: 0
>>>>>      > Scanned files: 1
>>>>>      > Infected files: 1
>>>>>      > Data scanned: 0.00 MB
>>>>>      > Data read: 0.00 MB (ratio 0.00:1)
>>>>>      > Time: 9.614 sec (0 m 9 s)
>>>>>      > Start Date: 2022:07:15 16:31:17
>>>>>      > End Date:   2022:07:15 16:31:26
>>>>>      >
>>>>>      > --Maarten
>>>>>      >
>>>>>      > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-li...@j4computers.com 
>>>>> <mailto:joea-li...@j4computers.com>
>>>>>     <mailto:joea-li...@j4computers.com 
>>>>> <mailto:joea-li...@j4computers.com>>
>>>>>      > <mailto:joea-li...@j4computers.com 
>>>>> <mailto:joea-li...@j4computers.com>
>>>>>     <mailto:joea-li...@j4computers.com 
>>>>> <mailto:joea-li...@j4computers.com>>>> wrote:
>>>>>      >
>>>>>      >     Clamav is finding this:
>>>>>      >
>>>>>      >     "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
>>>>>     from a
>>>>>      >     source I trust (well, it is a professional organization 
>>>>> anyway).
>>>>>      >
>>>>>      >     Is there any way to tell clamav not to run the check for this
>>>>>      >     particular
>>>>>      >     client and this particular "trojan"? Just not check for it at
>>>>>     all?
>>>>>      >
>>>>>      >     Or should I submit it as a "False positive" and hope it goes
>>>>>     away?
>>>>>      >
>>>>>      >
>>>>>      >     _______________________________________________
>>>>>      >
>>>>>      >     clamav-users mailing list
>>>>>      > clamav-users@lists.clamav.net 
>>>>> <mailto:clamav-users@lists.clamav.net>
>>>>>     <mailto:clamav-users@lists.clamav.net 
>>>>> <mailto:clamav-users@lists.clamav.net>>
>>>>>     <mailto:clamav-users@lists.clamav.net 
>>>>> <mailto:clamav-users@lists.clamav.net>
>>>>>     <mailto:clamav-users@lists.clamav.net 
>>>>> <mailto:clamav-users@lists.clamav.net>>>
>>>>>      > https://lists.clamav.net/mailman/listinfo/clamav-users 
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users 
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>>      >     <https://lists.clamav.net/mailman/listinfo/clamav-users 
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users 
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>>
>>>>>      >
>>>>>      >
>>>>>      >     Help us build a comprehensive ClamAV guide:
>>>>>      > https://github.com/Cisco-Talos/clamav-documentation 
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>>     <https://github.com/Cisco-Talos/clamav-documentation 
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>>      >     <https://github.com/Cisco-Talos/clamav-documentation 
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>>     <https://github.com/Cisco-Talos/clamav-documentation 
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>>
>>>>>      >
>>>>>      > https://docs.clamav.net/#mailing-lists-and-chat 
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>>     <https://docs.clamav.net/#mailing-lists-and-chat 
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>>      >     <https://docs.clamav.net/#mailing-lists-and-chat 
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>>     <https://docs.clamav.net/#mailing-lists-and-chat 
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>>
>>>>>      >
>>>>>      >
>>>>>      > _______________________________________________
>>>>>      >
>>>>>      > clamav-users mailing list
>>>>>      > clamav-users@lists.clamav.net 
>>>>> <mailto:clamav-users@lists.clamav.net> 
>>>>> <mailto:clamav-users@lists.clamav.net 
>>>>> <mailto:clamav-users@lists.clamav.net>>
>>>>>      > https://lists.clamav.net/mailman/listinfo/clamav-users 
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users 
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>>      >
>>>>>      >
>>>>>      > Help us build a comprehensive ClamAV guide:
>>>>>      > https://github.com/Cisco-Talos/clamav-documentation 
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>>     <https://github.com/Cisco-Talos/clamav-documentation 
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>>      >
>>>>>      > https://docs.clamav.net/#mailing-lists-and-chat 
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>>     <https://docs.clamav.net/#mailing-lists-and-chat 
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>>     _______________________________________________
>>>>> 
>>>>>     clamav-users mailing list
>>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> 
>>>>> <mailto:clamav-users@lists.clamav.net 
>>>>> <mailto:clamav-users@lists.clamav.net>>
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users 
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>> 
>>>>> 
>>>>>     Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation 
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>>     <https://github.com/Cisco-Talos/clamav-documentation 
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>> 
>>>>> https://docs.clamav.net/#mailing-lists-and-chat 
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>>     <https://docs.clamav.net/#mailing-lists-and-chat 
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> 
>>>>> clamav-users mailing list
>>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> 
>>>>> 
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>> 
>>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>> _______________________________________________
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>> _______________________________________________
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>> 
>>> https://docs.clamav.net/#mailing-lists-and-chat
>> Powered by 
>> *Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>*-
>>  still your inbox, but smarter.
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>> https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] PUA detected. False Positive?

Reply via email to