I'm looking into the PUA issue and will follow up about that.
On Thu, Sep 4, 2014 at 11:43 AM, Douglas Goddard <dgodd...@sourcefire.com> wrote: > That is a zip signature looking for double extension files. So, it is > interesting that it is alerting on a .txt file, unless that is a zip file > in disguise. > > You can whitelist the signature by adding a whitelist.ign file to your > ClamAV database directory (for me, the path is: /usr/local/share/clamav/). > In that file put the signature names that you do not want alerting, one per > line. > > This signature and the others published in their set look for common > double extension tricks like your_document-pdf.exe. > > If that is truly a text file or you would like to have me take a look at > it to see if the signature should be modified please submit it as an FP via > http://www.clamav.net/fp. > > Thanks, > Doug > > > On Thu, Sep 4, 2014 at 11:23 AM, Mark Price <mpr...@tqhosting.com> wrote: > >> In the past day we have had clamscan on several servers detect infected >> files due to: PUA.Windows.DoubleExtension-zippwd-3 >> >> I've read the clamscan manpage but have not had any luck with getting the >> "--detect-pua" option to work. Example: >> >> # clamscan --detect-pua=no ./sample-msg1.txt >> ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND >> >> ----------- SCAN SUMMARY ----------- >> Known viruses: 3515268 >> Engine version: 0.98 >> Scanned directories: 0 >> Scanned files: 1 >> Infected files: 1 >> Data scanned: 0.00 MB >> Data read: 0.05 MB (ratio 0.00:1) >> Time: 9.402 sec (0 m 9 s) >> >> >> In this case, is the infected file being detected by a PUA that I should >> be >> able to disable with command line option? Or is "PUA" simply part of the >> virus signature name? >> >> >> Thanks, >> >> Mark >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml