Mailing List Archive

Problems scanning for PUAs
Hi,

I'm trying to scan files for PUAs.
When you do that, you get a lot of packers show up.

But when I type

--detect-pua=yes --exclude-pua=Win.Packer

it doesn't detect any PUAs at all (including PUA.Win.Malware etc).

Am I typing something wrong or is this a bug?

Running ClamAV v0.101.2 on Gentoo Linux.

Also, I haven't used ClamAV in a while, but do you still auto-reject PUA from the false-positive form?

Thank you!

--

-Dan Q

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Problems scanning for PUAs [ In reply to ]
Also, what is the difference between e.g. Win.Trojan and PUA.Win.Trojan? Why would a trojan be a PUA?

--

-Dan Q

On Thu, 30 May 2019 17:02:08 -0400 (EDT), Daniel Quintiliani via clamav-users <clamav-users@lists.clamav.net> wrote:

> Hi,
>
> I'm trying to scan files for PUAs.
> When you do that, you get a lot of packers show up.
>
> But when I type
>
> --detect-pua=yes --exclude-pua=Win.Packer
>
> it doesn't detect any PUAs at all (including PUA.Win.Malware etc).
>
> Am I typing something wrong or is this a bug?
>
> Running ClamAV v0.101.2 on Gentoo Linux.
>
> Also, I haven't used ClamAV in a while, but do you still auto-reject PUA from the false-positive form?
>
> Thank you!
>
> --
>
> -Dan Q
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Problems scanning for PUAs [ In reply to ]
I think the PUA version are just potentially unwanted things that exhibit
trojan-like behavior but aren't confirmed trojans.

As for the original question, it looks like it's only using the first part
of that to determine the group of PUAs to ignore.

These are the 'PUA' families (and associated signature counts).
82 Andr
181 Cert
4 Doc
2 Email
1 Embedded
34 Html
3 Java
2 Js
1 Osx
1 Packed
6 Pdf
1 Php
1 Rtf
1 Spy
1 Swf
1 Tool
542 Unix
5832 Win

Running clamscan --detect-pua=yes --exclude-pua=Pdf does indeed exclude the
6 PUA signatures for PUA.Pdf.*

Barring the addition of functionality to allow you specify sub-categories
on the command line, your best option would be to create a .ign2 file with
a list of all the packer signatures you want to ignore.

A command-line along the lines of this would generate it for you:
# sigtool --find-sigs PUA.Win.Packer | awk '/ PUA/ { print $NF } /:PUA/ {
print $NF }' | awk -F: '$1 ~ /PUA/ { print $1 } $NF ~ /PUA/ { print $NF }'
| awk -F\; '{ print $1 }' ><dbdir>/ignorelist.ign2

--Maarten

On Thu, May 30, 2019 at 5:36 PM Daniel Quintiliani via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Also, what is the difference between e.g. Win.Trojan and PUA.Win.Trojan?
> Why would a trojan be a PUA?
>
> --
>
> -Dan Q
>
> On Thu, 30 May 2019 17:02:08 -0400 (EDT), Daniel Quintiliani via
> clamav-users <clamav-users@lists.clamav.net> wrote:
>
> > Hi,
> >
> > I'm trying to scan files for PUAs.
> > When you do that, you get a lot of packers show up.
> >
> > But when I type
> >
> > --detect-pua=yes --exclude-pua=Win.Packer
> >
> > it doesn't detect any PUAs at all (including PUA.Win.Malware etc).
> >
> > Am I typing something wrong or is this a bug?
> >
> > Running ClamAV v0.101.2 on Gentoo Linux.
> >
> > Also, I haven't used ClamAV in a while, but do you still auto-reject PUA
> from the false-positive form?
> >
> > Thank you!
> >
> > --
> >
> > -Dan Q
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>