I took a look at the PUA documents page at:
https://docs.clamav.net/faq/faq-pua.html
I'm guessing it may be a bit outdated. The page has a 2020 reference.
It is now 2025.
Where can I find an updated list of PUA categories and subcategories?
Also, I am using ClamAV 1.0.7 packages provided by
er 23, 2022 9:29 AM
> *To:* ClamAV users ML
> *Cc:* andy_schm...@hm-software.com
> *Subject:* Re: [clamav-users] PUA - Category List, invalid URL in config
> sample! Packer Category?
>
>
>
> Looks like there's a copy here. I wonder if the example
: ClamAV users ML
Cc: andy_schm...@hm-software.com
Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample!
Packer Category?
Looks like there's a copy here. I wonder if the example should link here
instead?
https://github.com/Soldie/clamav-faq-antivirus/blob/master/fa
on
> *Sent:* Wednesday, November 23, 2022 8:49 AM
> *To:* ClamAV users ML
> *Cc:* Andy Schmidt ;
> cla...@jubileegroup.co.uk
> *Subject:* Re: [clamav-users] PUA - Category List, invalid URL in config
> sample! Packer Category?
>
>
>
> I cleaned up the code and prepare
, November 23, 2022 8:49 AM
To: ClamAV users ML
Cc: Andy Schmidt ; cla...@jubileegroup.co.uk
Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample!
Packer Category?
I cleaned up the code and prepared a PR to assist. Currently in draft and
comments are welcome. The code seems
I cleaned up the code and prepared a PR to assist. Currently in draft and
comments are welcome. The code seems reasonable to my eyes.
https://github.com/Cisco-Talos/clamav/pull/780
On Tue, Nov 22, 2022 at 2:26 PM Andy Schmidt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> GWH>> Try
GWH>> Try replacing the function cli_chkpua() in .../libclamav/readdb.c with
<<
GWH>> Please feel free to correct mistakes in this and push to Github or
whatever. <<
Thanks G.W. for looking into it and testing a potential fix.
Unfortunately, I'm not running a self-compiled version, but rather one
Hi there,
On Sat, 19 Nov 2022, Andy Schmidt via clamav-users wrote:
Unfortunately, while will specifying "Win.Packer" or even "PUA.Win.Packer" will
APPEAR to work, the program logic in ExcludePUA is completely faulty (almost arbitrary).
Yes, it WILL exclude those two - but the problem is, it
very ClamAV user is also a C++ programmer, which I am not.)
Best Regards,
Andy
-Original Message-
From: Arnaud Jacques
Sent: Friday, November 18, 2022 11:33 AM
To: ClamAV users ML
Subject: Re: [clamav-users] PUA - Category List, invalid URL in config sample!
Packer Categor
Hello Andy,
My config file already excludes:
ExcludePUA Packed
ExcludePUA Downloader
And adding “Packer” (and restarting ClamD) will NOT exclude the above
“Packer” !?
Should work :
ExcludePUA PUA.Win.Packer.BorlandCpp-8
ExcludePUA PUA.Win.Packer.BorlandDelphi-12
--
Cordialement / Best re
Problem 1 - Link in Config Sample is 404!
According to the current clamd.conf.sample:
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md
for the complete list of PUA categories.
Problem 2 - What PUA Category covers "Win.Packer.Borland." ?
PUA.Win.Packer.Borlan
I see you figured it out, but just to close this out...
As long as there is another entry on the next line, the a CR is OK. In your
case ClamAV was looking for a second entry and not finding one it assumed
malformation.
Sent from my iPad
-Al-
--
ClamXAV User
On Jul 16, 2022, at 12:32, joe a
Apparently resolved by having *only* the signature name on the line.
joe a
On 7/16/2022 3:32 PM, joe a wrote:
Does that include CR at the end of a line? Docs suggest multiple
ignores in one file, each on it's own line. Did I misread? (not the
first time)
joe a
On 7/16/2022 12:18 AM, Al
Does that include CR at the end of a line? Docs suggest multiple
ignores in one file, each on it's own line. Did I misread? (not the
first time)
joe a
On 7/16/2022 12:18 AM, Al Varnell via clamav-users wrote:
Yes, just make sure you don't have embedded spaces, carriage returns or
other in
Yes, just make sure you don't have embedded spaces, carriage returns or other
invisible characters.
-Al-
--
ClamXAV User
> On Jul 15, 2022, at 8:43 PM, joe a wrote:
>
> That error was corrected, but now the error is "Malformed Database".
>
> Is it not a simple text string on a single line?
>
That error was corrected, but now the error is "Malformed Database".
Is it not a simple text string on a single line?
joe a.
On 7/15/2022 6:29 PM, joe a wrote:
My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and
get this error:
"LibClamAV Error: cli_loadign: No signature
My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and
get this error:
"LibClamAV Error: cli_loadign: No signature name provided"
Is the signature name not "PUA.Win.Trojan.Xored-1"
joe a.
On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
To turn it off entirely,
To turn it off entirely, you would create a file ending in .ign2 and put
the signature name in that file.
I'm not sure there is a good way to do it only for that particular sender,
unless you have a way to send those messages to a differently configured
ClamAV setup. I don't do a lot of email scan
Thank you. I believe I understand.
I was actually looking for a way to turn off checking for this
particular "PUA", hopefully just for this sender, while keeping PUA
checks still enabled for other cases.
In the past I've not had great success searching entirely on my own.
joe a.
On 7/15/20
A "PUA" is a "potentially unwanted application", not necessarily malicious.
You can disable PUA checks by ensuring that your clamd configuration has
"DetectPUA" set to no.
For reference, the signature is looking for bitwise math on CharCodeAt()
operations in HTML files.
VIRUS NAME: PUA.Win.Trojan
Clamav is finding this:
"X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
source I trust (well, it is a professional organization anyway).
Is there any way to tell clamav not to run the check for this particular
client and this particular "trojan"? Just not check for it at
Here is the official list of PUA categories:
https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md
So WHICH of these categories is then:
PUA.Win.Downloader.Aiis-6803892-0
___
clamav-users mailing list
clamav-users@lists.clamav.net
We implemented a naming convention about 3 years ago that we’ve been using
since, things named before that were named.. somewhat loosely.
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group
http://www.talosintel.com
On May 28, 2015, at 2:50 PM, Al Varnell
mailto:alvarn
ClamAV does not produce any such explanations. There is no requirement that the
same name be used for a given malware sample by all A-V scanners, so there is
no guarantee that the description you found at Symantec will match the infected
file you found. If the sample ClamAV received already has
Hi,
In a mostly OS X environment running gruntworks on client machines, clamav
scans are finding things like ‘hacktool.crack.someprogram’. Would this be
considered a PUA by the clamav team or is it just a naming convention for
something more malicious? More generally is there anywhere I could s
On 22 Mar 2013 at 11:12, Alain Zidouemba wrote:
> Paul,
>
> That alert is to indicate that the file it alerted on is a likely an
> MS Office document that has a PDF embedded within it. You may want to
> take a closer look to it as we have observed malicious payloads being
> distributed this way i
Paul,
That alert is to indicate that the file it alerted on is a likely an MS
Office document that has a PDF embedded within it. You may want to take a
closer look to it as we have observed malicious payloads being distributed
this way in the past.
As for what PUA category it comes under, I suppo
What PUA category does "PUA.OLE.EmbeddedPDF" come under? (Triggered by a Word
document).
paul
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
28 matches
Mail list logo