On Friday, 13 March 2026 at 6:56 AM, Joel Esler <[email protected]> wrote:
> Good day. Based on the paths and signature types, most of this looks more
> like aggressive heuristic and PUA detections than proof of an active
> compromise. The biggest reasons are: many hits are in legitimate program
> files, many are marked PUA rather than confirmed malware, and many are
> *.UNOFFICIAL signatures from third-party feeds such as Sanesecurity, which
> are separate from ClamAV’s official signed databases and can be noisier.
> ClamAV’s own documentation says PUA detections are less carefully curated and
> can generate more false positives, and unofficial signatures are not official
> ClamAV detections.
>
> What stands out in your log is that a very large portion of detections fall
> into these buckets:
>
> -
>
> Installed software files: Adobe Acrobat, Thunderbird, Firefox, VLC, OBS,
> NVIDIA, VMware, Check Point, OneDrive, Windows Defender, Windows system files.
>
> -
>
> LibreOffice macro libraries: the many *.xba files under LibreOffice are
> expected macro/script components, so PUA.Doc.Tool.LibreOfficeMacro-2 on those
> files is usually not surprising by itself.
>
> -
>
> Caches, dumps, mailboxes, installers, and temp files: Chrome/Edge/Firefox
> cache, Thunderbird spam mailbox, Trend Micro dump files, MSI/MSP installer
> cache, Downloads, Temp. These often trigger heuristic signatures because
> scanners see archived scripts, exploit test strings, or remnants of
> previously downloaded web content. The Sanesecurity “Foxhole” and similar
> unofficial databases are specifically designed to flag risky content inside
> archives and JavaScript-heavy compressed content, with some rules carrying
> medium or high false-positive risk.
>
> So, are they false positives?
>
> Many probably are, or at least are low-confidence “potentially unwanted”
> detections rather than confirmed malware. I would be especially cautious
> about treating these as false positives:
>
> -
>
> Downloads/avc-free.exe
>
> -
>
> Downloads/Advanced_IP_Scanner_...exe
>
> -
>
> files in AppData/Local/Temp/...
>
> -
>
> browser cache entries
>
> -
>
> Thunderbird spam mailbox
>
> -
>
> the Trend Micro dump file
>
> Those are not automatically malicious, but they are the most worth reviewing
> because they are user-space artifacts, downloads, caches, or temporary files,
> not core Windows components. By contrast, detections on Windows system files,
> Defender engine files, LibreOffice macro libraries, and mainstream vendor
> DLLs are much more suggestive of heuristic noise or packer-based PUA hits
> than an actual infection.
>
> About the items you specifically mentioned:
>
> -
>
> “Java Backdoor”: the line java.backdoor.anno.6.UNOFFICIAL is an unofficial
> MD5-based signature on a file under Microsoft/Crypto/RSA/..., which is an
> unusual place for a true Java backdoor. That does not look like a normal,
> high-confidence malware finding to me from the path alone.
>
> -
>
> “PUA Win Trojans”: ClamAV notes that some older PUA categories were named
> with malware-like labels such as Trojan by automated tooling, and those names
> are not reliable indicators of real malware.
>
> -
>
> “Sanesecurity Malware”: these are from third-party unofficial signature sets,
> not ClamAV’s official signed database.
>
> My practical assessment is:
>
> This log does not, by itself, prove your Windows 11 machine is infected.
>
> It does show that your scan is loading or honoring PUA and unofficial
> third-party signatures, which can produce a lot of noisy results, especially
> against archives, macros, caches, installers, and vendor binaries.
>
> What I would do next, in order:
>
> -
>
> Do not panic and do not wipe the machine.
>
> -
>
> Re-scan only the suspicious user-space items:
>
> -
>
> Downloads
>
> -
>
> AppData/Local/Temp
>
> -
>
> browser caches
>
> -
>
> Thunderbird profile and spam mailbox
>
> -
>
> Run a second-opinion scanner on Windows itself, preferably Microsoft Defender
> Offline or another reputable scanner, to see whether these same files are
> flagged.
>
> -
>
> Check whether ClamAV was using unofficial databases such as Sanesecurity or
> custom YARA rules. If yes, temporarily re-scan with official signatures only
> and with PUA disabled. ClamAV supports an official-only mode and notes that
> PUA loading is optional.
>
> -
>
> Delete obvious junk safely:
>
> -
>
> browser caches
>
> -
>
> temp files
>
> -
>
> old installer leftovers in Downloads, if you no longer need them
>
> -
>
> mail spam cache copies, if appropriate
>
> -
>
> If the same files are still detected by multiple scanners, especially
> executables in Downloads or Temp, then treat them as genuinely suspicious.
>
> The items I would prioritize for manual review are:
>
> -
>
> Users/teoen/Downloads/avc-free.exe
>
> -
>
> Users/teoen/Downloads/Advanced_IP_Scanner_...exe
>
> -
>
> Users/teoen/AppData/Local/Temp/...
>
> -
>
> Users/teoen/AppData/Local/HCBackup/hcpackage64.exe
>
> -
>
> browser cache hits, only to the extent they may point to a malicious website
> you visited
>
> -
>
> the Thunderbird spam mailbox item
>
> The items I would not treat as strong evidence of infection on their own are:
>
> -
>
> LibreOffice *.xba files
>
> -
>
> Adobe/Firefox/Thunderbird/VLC/OBS/NVIDIA/VMware vendor binaries
>
> -
>
> Windows Defender engine files
>
> -
>
> many Windows WinSxS, System32, and installer-cache files
>
> -
>
> most .UNOFFICIAL heuristic hits against archives and caches
Dear Joel Esler,
I have managed to scan my Windows 11 Home edition home desktop computer with
bootable Kaspersky Rescue Disk for a 2nd opinion.
Please refer to the following link for my Kaspersky Rescue Disk virus scan
results:
https://lists.debian.org/debian-user/2026/03/msg00178.html
However, I could not find any clickable button inside Kaspersky Rescue Disk to
update the virus database to the latest version. Hence I am probably using an
extremely outdated virus signature database dating back to the year 2024.
I have also scanned my Windows 11 Home edition home desktop computer with
bootable Dr.Web LiveDisk for a 3rd opinion.
Please refer to the following link for my Dr.Web LveDisk virus scan results:
https://lists.debian.org/debian-user/2026/03/msg00192.html
According to ChatGPT artificial intelligence, all the antivirus scanners in the
world will never be able to detect nation-state Advanced Persistent Threats
(APT) malware.
Even if there are nation state APT malware in your computer or laptop or
smartphone, no antivirus scanner in the world will be able to detect them.
Assuming you have nation state APT malware in your computer or laptop or
smartphone, all of the antivirus scanners in the world will simply report "NO
THREATS DETECTED".
What do you think?
Regards,
Mr. Turritopsis Dohrnii Teo En Ming
Extremely Democratic People's Republic of Singapore
18 Mar 2026 Wednesday 8.10 pm Singapore Time
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
