Yes, just make sure you don't have embedded spaces, carriage returns or other invisible characters.
-Al- -- ClamXAV User > On Jul 15, 2022, at 8:43 PM, joe a <joea-li...@j4computers.com> wrote: > > That error was corrected, but now the error is "Malformed Database". > > Is it not a simple text string on a single line? > > joe a. > > On 7/15/2022 6:29 PM, joe a wrote: >> My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and get >> this error: >> "LibClamAV Error: cli_loadign: No signature name provided" >> Is the signature name not "PUA.Win.Trojan.Xored-1" >> joe a. >> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote: >>> To turn it off entirely, you would create a file ending in .ign2 and put >>> the signature name in that file. >>> >>> I'm not sure there is a good way to do it only for that particular sender, >>> unless you have a way to send those messages to a differently configured >>> ClamAV setup. I don't do a lot of email scanning, so I'm not sure what the >>> limitations are there. >>> >>> --Maarten >>> >>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-li...@j4computers.com >>> <mailto:joea-li...@j4computers.com>> wrote: >>> >>> Thank you. I believe I understand. >>> >>> I was actually looking for a way to turn off checking for this >>> particular "PUA", hopefully just for this sender, while keeping PUA >>> checks still enabled for other cases. >>> >>> In the past I've not had great success searching entirely on my own. >>> >>> joe a. >>> >>> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote: >>> > A "PUA" is a "potentially unwanted application", not necessarily >>> > malicious. You can disable PUA checks by ensuring that your clamd >>> > configuration has "DetectPUA" set to no. >>> > >>> > For reference, the signature is looking for bitwise math on >>> CharCodeAt() >>> > operations in HTML files. >>> > >>> > VIRUS NAME: PUA.Win.Trojan.Xored-1 >>> > TARGET TYPE: HTML >>> > OFFSET: * >>> > DECODED SIGNATURE: >>> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^ >>> > >>> > >>> > I created a bogus test file that matches the signature and, with >>> default >>> > configuration settings, it is not detected. But when I force PUA >>> > detection to be on, it is detected. >>> > >>> > lothlorien:~$ clamscan test.html >>> > Loading: 6s, ETA: 0s [========================>] >>> 8.62M/8.62M sigs >>> > Compiling: 2s, ETA: 0s [========================>] 41/41 >>> tasks >>> > >>> > ~/test.html: OK >>> > >>> > ----------- SCAN SUMMARY ----------- >>> > Known viruses: 8622174 >>> > Engine version: 0.105.0 >>> > Scanned directories: 0 >>> > Scanned files: 1 >>> > Infected files: 0 >>> > Data scanned: 0.00 MB >>> > Data read: 0.00 MB (ratio 0.00:1) >>> > Time: 9.865 sec (0 m 9 s) >>> > Start Date: 2022:07:15 16:31:01 >>> > End Date: 2022:07:15 16:31:11 >>> > >>> > lothlorien:~$ clamscan --detect-pua=yes test.html >>> > Loading: 6s, ETA: 0s [========================>] >>> 8.64M/8.64M sigs >>> > Compiling: 2s, ETA: 0s [========================>] 41/41 >>> tasks >>> > >>> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND >>> > >>> > ----------- SCAN SUMMARY ----------- >>> > Known viruses: 8637594 >>> > Engine version: 0.105.0 >>> > Scanned directories: 0 >>> > Scanned files: 1 >>> > Infected files: 1 >>> > Data scanned: 0.00 MB >>> > Data read: 0.00 MB (ratio 0.00:1) >>> > Time: 9.614 sec (0 m 9 s) >>> > Start Date: 2022:07:15 16:31:17 >>> > End Date: 2022:07:15 16:31:26 >>> > >>> > --Maarten >>> > >>> > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-li...@j4computers.com >>> <mailto:joea-li...@j4computers.com> >>> > <mailto:joea-li...@j4computers.com >>> <mailto:joea-li...@j4computers.com>>> wrote: >>> > >>> > Clamav is finding this: >>> > >>> > "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails >>> from a >>> > source I trust (well, it is a professional organization anyway). >>> > >>> > Is there any way to tell clamav not to run the check for this >>> > particular >>> > client and this particular "trojan"? Just not check for it at >>> all? >>> > >>> > Or should I submit it as a "False positive" and hope it goes >>> away? >>> > >>> > >>> > _______________________________________________ >>> > >>> > clamav-users mailing list >>> > clamav-users@lists.clamav.net >>> <mailto:clamav-users@lists.clamav.net> >>> <mailto:clamav-users@lists.clamav.net >>> <mailto:clamav-users@lists.clamav.net>> >>> > https://lists.clamav.net/mailman/listinfo/clamav-users >>> <https://lists.clamav.net/mailman/listinfo/clamav-users> >>> > <https://lists.clamav.net/mailman/listinfo/clamav-users >>> <https://lists.clamav.net/mailman/listinfo/clamav-users>> >>> > >>> > >>> > Help us build a comprehensive ClamAV guide: >>> > https://github.com/Cisco-Talos/clamav-documentation >>> <https://github.com/Cisco-Talos/clamav-documentation> >>> > <https://github.com/Cisco-Talos/clamav-documentation >>> <https://github.com/Cisco-Talos/clamav-documentation>> >>> > >>> > https://docs.clamav.net/#mailing-lists-and-chat >>> <https://docs.clamav.net/#mailing-lists-and-chat> >>> > <https://docs.clamav.net/#mailing-lists-and-chat >>> <https://docs.clamav.net/#mailing-lists-and-chat>> >>> > >>> > >>> > _______________________________________________ >>> > >>> > clamav-users mailing list >>> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >>> > https://lists.clamav.net/mailman/listinfo/clamav-users >>> <https://lists.clamav.net/mailman/listinfo/clamav-users> >>> > >>> > >>> > Help us build a comprehensive ClamAV guide: >>> > https://github.com/Cisco-Talos/clamav-documentation >>> <https://github.com/Cisco-Talos/clamav-documentation> >>> > >>> > https://docs.clamav.net/#mailing-lists-and-chat >>> <https://docs.clamav.net/#mailing-lists-and-chat> >>> _______________________________________________ >>> >>> clamav-users mailing list >>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >>> https://lists.clamav.net/mailman/listinfo/clamav-users >>> <https://lists.clamav.net/mailman/listinfo/clamav-users> >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/Cisco-Talos/clamav-documentation >>> <https://github.com/Cisco-Talos/clamav-documentation> >>> >>> https://docs.clamav.net/#mailing-lists-and-chat >>> <https://docs.clamav.net/#mailing-lists-and-chat> >>> >>> >>> _______________________________________________ >>> >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> https://lists.clamav.net/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/Cisco-Talos/clamav-documentation >>> >>> https://docs.clamav.net/#mailing-lists-and-chat >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-users >> Help us build a comprehensive ClamAV guide: >> https://github.com/Cisco-Talos/clamav-documentation >> https://docs.clamav.net/#mailing-lists-and-chat > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/Cisco-Talos/clamav-documentation > > https://docs.clamav.net/#mailing-lists-and-chat Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
