[clamav-users] PUA

2025-01-18 Thread Diggy via clamav-users
I took a look at the PUA documents page at: https://docs.clamav.net/faq/faq-pua.html I'm guessing it may be a bit outdated. The page has a 2020 reference. It is now 2025. Where can I find an updated list of PUA categories and subcategories? Also, I am using ClamAV 1.0.7 packages provided by

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-23 Thread Shawn Iverson via clamav-users
er 23, 2022 9:29 AM > *To:* ClamAV users ML > *Cc:* andy_schm...@hm-software.com > *Subject:* Re: [clamav-users] PUA - Category List, invalid URL in config > sample! Packer Category? > > > > Looks like there's a copy here. I wonder if the example

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-23 Thread Andy Schmidt via clamav-users
: ClamAV users ML Cc: andy_schm...@hm-software.com Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? Looks like there's a copy here. I wonder if the example should link here instead? https://github.com/Soldie/clamav-faq-antivirus/blob/master/fa

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-23 Thread Shawn Iverson via clamav-users
on > *Sent:* Wednesday, November 23, 2022 8:49 AM > *To:* ClamAV users ML > *Cc:* Andy Schmidt ; > cla...@jubileegroup.co.uk > *Subject:* Re: [clamav-users] PUA - Category List, invalid URL in config > sample! Packer Category? > > > > I cleaned up the code and prepare

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-23 Thread Andy Schmidt via clamav-users
, November 23, 2022 8:49 AM To: ClamAV users ML Cc: Andy Schmidt ; cla...@jubileegroup.co.uk Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category? I cleaned up the code and prepared a PR to assist. Currently in draft and comments are welcome. The code seems

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-23 Thread Shawn Iverson via clamav-users
I cleaned up the code and prepared a PR to assist. Currently in draft and comments are welcome. The code seems reasonable to my eyes. https://github.com/Cisco-Talos/clamav/pull/780 On Tue, Nov 22, 2022 at 2:26 PM Andy Schmidt via clamav-users < clamav-users@lists.clamav.net> wrote: > GWH>> Try

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-22 Thread Andy Schmidt via clamav-users
GWH>> Try replacing the function cli_chkpua() in .../libclamav/readdb.c with << GWH>> Please feel free to correct mistakes in this and push to Github or whatever. << Thanks G.W. for looking into it and testing a potential fix. Unfortunately, I'm not running a self-compiled version, but rather one

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-20 Thread G.W. Haywood via clamav-users
Hi there, On Sat, 19 Nov 2022, Andy Schmidt via clamav-users wrote: Unfortunately, while will specifying "Win.Packer" or even "PUA.Win.Packer" will APPEAR to work, the program logic in ExcludePUA is completely faulty (almost arbitrary). Yes, it WILL exclude those two - but the problem is, it

[clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-19 Thread Andy Schmidt via clamav-users
very ClamAV user is also a C++ programmer, which I am not.) Best Regards, Andy -Original Message- From: Arnaud Jacques Sent: Friday, November 18, 2022 11:33 AM To: ClamAV users ML Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Categor

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-18 Thread Arnaud Jacques
Hello Andy, My config file already excludes: ExcludePUA Packed ExcludePUA Downloader And adding “Packer” (and restarting ClamD) will NOT exclude the above “Packer” !? Should work : ExcludePUA PUA.Win.Packer.BorlandCpp-8 ExcludePUA PUA.Win.Packer.BorlandDelphi-12 -- Cordialement / Best re

[clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

2022-11-18 Thread Andy Schmidt via clamav-users
Problem 1 - Link in Config Sample is 404! According to the current clamd.conf.sample: # See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for the complete list of PUA categories. Problem 2 - What PUA Category covers "Win.Packer.Borland." ? PUA.Win.Packer.Borlan

Re: [clamav-users] PUA detected. False Positive?

2022-07-16 Thread Al Varnell via clamav-users
I see you figured it out, but just to close this out... As long as there is another entry on the next line, the a CR is OK. In your case ClamAV was looking for a second entry and not finding one it assumed malformation. Sent from my iPad -Al- -- ClamXAV User On Jul 16, 2022, at 12:32, joe a

Re: [clamav-users] PUA detected. False Positive?

2022-07-16 Thread joe a
Apparently resolved by having *only* the signature name on the line. joe a On 7/16/2022 3:32 PM, joe a wrote: Does that include CR at the end of a line?   Docs suggest multiple ignores in one file, each on it's own line.   Did I misread? (not the first time) joe a On 7/16/2022 12:18 AM, Al

Re: [clamav-users] PUA detected. False Positive?

2022-07-16 Thread joe a
Does that include CR at the end of a line? Docs suggest multiple ignores in one file, each on it's own line. Did I misread? (not the first time) joe a On 7/16/2022 12:18 AM, Al Varnell via clamav-users wrote: Yes, just make sure you don't have embedded spaces, carriage returns or other in

Re: [clamav-users] PUA detected. False Positive?

2022-07-15 Thread Al Varnell via clamav-users
Yes, just make sure you don't have embedded spaces, carriage returns or other invisible characters. -Al- -- ClamXAV User > On Jul 15, 2022, at 8:43 PM, joe a wrote: > > That error was corrected, but now the error is "Malformed Database". > > Is it not a simple text string on a single line? >

Re: [clamav-users] PUA detected. False Positive?

2022-07-15 Thread joe a
That error was corrected, but now the error is "Malformed Database". Is it not a simple text string on a single line? joe a. On 7/15/2022 6:29 PM, joe a wrote: My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and get this error: "LibClamAV Error: cli_loadign: No signature

Re: [clamav-users] PUA detected. False Positive?

2022-07-15 Thread joe a
My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and get this error: "LibClamAV Error: cli_loadign: No signature name provided" Is the signature name not "PUA.Win.Trojan.Xored-1" joe a. On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote: To turn it off entirely,

Re: [clamav-users] PUA detected. False Positive?

2022-07-15 Thread Maarten Broekman via clamav-users
To turn it off entirely, you would create a file ending in .ign2 and put the signature name in that file. I'm not sure there is a good way to do it only for that particular sender, unless you have a way to send those messages to a differently configured ClamAV setup. I don't do a lot of email scan

Re: [clamav-users] PUA detected. False Positive?

2022-07-15 Thread joe a
Thank you. I believe I understand. I was actually looking for a way to turn off checking for this particular "PUA", hopefully just for this sender, while keeping PUA checks still enabled for other cases. In the past I've not had great success searching entirely on my own. joe a. On 7/15/20

Re: [clamav-users] PUA detected. False Positive?

2022-07-15 Thread Maarten Broekman via clamav-users
A "PUA" is a "potentially unwanted application", not necessarily malicious. You can disable PUA checks by ensuring that your clamd configuration has "DetectPUA" set to no. For reference, the signature is looking for bitwise math on CharCodeAt() operations in HTML files. VIRUS NAME: PUA.Win.Trojan

[clamav-users] PUA detected. False Positive?

2022-07-15 Thread joe a
Clamav is finding this: "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a source I trust (well, it is a professional organization anyway). Is there any way to tell clamav not to run the check for this particular client and this particular "trojan"? Just not check for it at

[clamav-users] PUA Categories vs. reported name?

2020-07-08 Thread Andy Schmidt via clamav-users
Here is the official list of PUA categories: https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md So WHICH of these categories is then: PUA.Win.Downloader.Aiis-6803892-0 ___ clamav-users mailing list clamav-users@lists.clamav.net

Re: [clamav-users] PUA and file descriptions

2015-05-29 Thread Joel Esler (jesler)
We implemented a naming convention about 3 years ago that we’ve been using since, things named before that were named.. somewhat loosely. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group http://www.talosintel.com On May 28, 2015, at 2:50 PM, Al Varnell mailto:alvarn

Re: [clamav-users] PUA and file descriptions

2015-05-28 Thread Al Varnell
ClamAV does not produce any such explanations. There is no requirement that the same name be used for a given malware sample by all A-V scanners, so there is no guarantee that the description you found at Symantec will match the infected file you found. If the sample ClamAV received already has

[clamav-users] PUA and file descriptions

2015-05-28 Thread Steven Pine
Hi, In a mostly OS X environment running gruntworks on client machines, clamav scans are finding things like ‘hacktool.crack.someprogram’. Would this be considered a PUA by the clamav team or is it just a naming convention for something more malicious? More generally is there anywhere I could s

Re: [clamav-users] PUA types

2013-03-22 Thread Paul Whelan
On 22 Mar 2013 at 11:12, Alain Zidouemba wrote: > Paul, > > That alert is to indicate that the file it alerted on is a likely an > MS Office document that has a PDF embedded within it. You may want to > take a closer look to it as we have observed malicious payloads being > distributed this way i

Re: [clamav-users] PUA types

2013-03-22 Thread Alain Zidouemba
Paul, That alert is to indicate that the file it alerted on is a likely an MS Office document that has a PDF embedded within it. You may want to take a closer look to it as we have observed malicious payloads being distributed this way in the past. As for what PUA category it comes under, I suppo

[clamav-users] PUA types

2013-03-22 Thread Paul Whelan
What PUA category does "PUA.OLE.EmbeddedPDF" come under? (Triggered by a Word document). paul ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml