Package: clamav-daemon Version: 0.95.2+dfsg-1~volatile1 Severity: normal clamd is detecting PUA even when it has been configured not to. Notice in the clamd.conf file the option "DetectPUA disabled" is set. Yet, it is still detecting it, making our scanning proxy server detect lots of false positives.
Specifically, here is an example, scanning the file stl-headerfooter.js from http://images.stltoday.com/stltoday/js/stl-headerfooter.js $ clamscan stl-headerfooter.js stl-headerfooter.js: PUA.Script.Packed-9 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 600377 Engine version: 0.95.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.47 MB Data read: 0.23 MB (ratio 2.00:1) Time: 1.702 sec (0 m 1 s) $ clamdscan -V ClamAV 0.95.2/9601/Tue Jul 21 10:31:58 2009 >From clamav.log: Tue Jul 21 15:10:18 2009 -> +++ Started at Tue Jul 21 15:10:18 2009 Tue Jul 21 15:10:18 2009 -> clamd daemon 0.95.2 (OS: linux-gnu, ARCH: i386, CPU: i486) Tue Jul 21 15:10:18 2009 -> Log file size limit disabled. Tue Jul 21 15:10:18 2009 -> Reading databases from /var/lib/clamav Tue Jul 21 15:10:18 2009 -> Not loading PUA signatures. Tue Jul 21 15:10:19 2009 -> Loaded 600377 signatures. Tue Jul 21 15:10:19 2009 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl Tue Jul 21 15:10:19 2009 -> LOCAL: Setting connection queue length to 15 Tue Jul 21 15:10:19 2009 -> Limits: Global size limit set to 104857600 bytes. Tue Jul 21 15:10:19 2009 -> Limits: File size limit set to 26214400 bytes. Tue Jul 21 15:10:19 2009 -> Limits: Recursion level limit set to 16. Tue Jul 21 15:10:19 2009 -> Limits: Files limit set to 10000. Tue Jul 21 15:10:19 2009 -> Archive support enabled. Tue Jul 21 15:10:19 2009 -> Algorithmic detection enabled. Tue Jul 21 15:10:19 2009 -> Portable Executable support enabled. Tue Jul 21 15:10:19 2009 -> ELF support enabled. Tue Jul 21 15:10:19 2009 -> Mail files support enabled. Tue Jul 21 15:10:19 2009 -> OLE2 support enabled. Tue Jul 21 15:10:19 2009 -> PDF support enabled. Tue Jul 21 15:10:19 2009 -> HTML support enabled. Tue Jul 21 15:10:19 2009 -> Self checking every 3600 seconds. Tue Jul 21 15:10:27 2009 -> /home/jase/stl-headerfooter.js: PUA.Script.Packed-9 Notice that one log entry says that it is not loading PUA signatures, yet, it found PUA.Script.Packed-9. I suppose it is possible that this is a signature issue, but I'm not sure. Let me know if you need any additional info. Thanks! Jason -- Package-specific info: --- configuration --- Checking configuration files in /etc/clamav Config file: clamd.conf ----------------------- LogFile = "/var/log/clamav/clamav.log" LogFileUnlock disabled LogFileMaxSize disabled LogTime = "yes" LogClean disabled LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled PidFile = "/var/run/clamav/clamd.pid" TemporaryDirectory = "/tmp" DatabaseDirectory = "/var/lib/clamav" LocalSocket = "/var/run/clamav/clamd.ctl" FixStaleSocket = "yes" TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = "15" StreamMaxLength = "10485760" StreamMinPort = "1024" StreamMaxPort = "2048" MaxThreads = "12" ReadTimeout = "180" CommandReadTimeout = "5" SendBufTimeout = "200" MaxQueue = "100" IdleTimeout = "30" ExcludePath disabled MaxDirectoryRecursion = "15" FollowDirectorySymlinks disabled FollowFileSymlinks disabled SelfCheck = "3600" VirusEvent disabled ExitOnOOM disabled Foreground disabled Debug disabled LeaveTemporaryFiles disabled User = "dansguardian" AllowSupplementaryGroups = "yes" DetectPUA disabled ExcludePUA disabled IncludePUA disabled AlgorithmicDetection = "yes" ScanPE = "yes" ScanELF = "yes" DetectBrokenExecutables disabled ScanMail = "yes" MailFollowURLs disabled ScanPartialMessages disabled PhishingSignatures = "yes" PhishingScanURLs = "yes" PhishingAlwaysBlockCloak disabled PhishingAlwaysBlockSSLMismatch disabled HeuristicScanPrecedence disabled StructuredDataDetection disabled StructuredMinCreditCardCount = "3" StructuredMinSSNCount = "3" StructuredSSNFormatNormal = "yes" StructuredSSNFormatStripped disabled ScanHTML = "yes" ScanOLE2 = "yes" ScanPDF = "yes" ScanArchive = "yes" ArchiveBlockEncrypted disabled MaxScanSize = "104857600" MaxFileSize = "26214400" MaxRecursion = "16" MaxFiles = "10000" ClamukoScanOnAccess disabled ClamukoScanOnOpen disabled ClamukoScanOnClose disabled ClamukoScanOnExec disabled ClamukoIncludePath disabled ClamukoExcludePath disabled ClamukoMaxFileSize = "5242880" DevACOnly disabled DevACDepth disabled Config file: freshclam.conf --------------------------- LogFileMaxSize disabled LogTime disabled LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled PidFile = "/var/run/clamav/freshclam.pid" DatabaseDirectory = "/var/lib/clamav/" Foreground disabled Debug disabled AllowSupplementaryGroups disabled UpdateLogFile = "/var/log/clamav/freshclam.log" DatabaseOwner = "dansguardian" Checks = "12" DNSDatabaseInfo = "current.cvd.clamav.net" DatabaseMirror = "db.local.clamav.net", "database.clamav.net", "db.us.clamav.net" MaxAttempts = "5" ScriptedUpdates = "yes" CompressLocalDatabase disabled HTTPProxyServer = "localhost" HTTPProxyPort = "3128" HTTPProxyUsername disabled HTTPProxyPassword disabled HTTPUserAgent disabled NotifyClamd = "/etc/clamav/clamd.conf" OnUpdateExecute disabled OnErrorExecute disabled OnOutdatedExecute disabled LocalIPAddress disabled ConnectTimeout = "30" ReceiveTimeout = "30" SubmitDetectionStats disabled DetectionStatsCountry disabled SafeBrowsing disabled clamav-milter.conf not found Software settings ----------------- Version: 0.95.2 Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 Database directory: /var/lib/clamav/ main.cld: version 51, sigs: 545035, built on Thu May 14 10:28:45 2009 daily.cld: version 9601, sigs: 55961, built on Tue Jul 21 10:31:58 2009 --- data dir --- total 51240 drwxr-xr-x 2 dansguardian dansguardian 4096 Dec 28 2008 clamav-450f2653f53ec88bf9dd25a9780c5bbf drwxr-xr-x 2 dansguardian clamav 4096 Jan 9 2008 clamav-6308fea2243378d968625b9539ae74b2 -rw-r--r-- 1 dansguardian clamav 1870864 Jan 9 2008 clamav-97a32efa17261c3fbd2a9133642d240b drwxr-xr-x 2 dansguardian dansguardian 4096 Dec 21 2008 clamav-f0887c42d7adcb0430925c81b701cca8 -rw-r--r-- 1 dansguardian dansguardian 3431936 Jul 21 11:22 daily.cld drwxr-xr-x 2 dansguardian dansguardian 4096 May 29 2008 daily.inc -rw-r--r-- 1 dansguardian dansguardian 47079936 May 14 11:44 main.cld drwxr-xr-x 2 dansguardian dansguardian 4096 May 29 2008 main.inc -- System Information: Debian Release: 5.0.2 Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages clamav-daemon depends on: ii clamav-base 0.95.2+dfsg-1~volatile1 anti-virus utility for Unix - base ii clamav-freshclam 0.95.2+dfsg-1~volatile1 anti-virus utility for Unix - viru ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co ii libc6 2.7-18 GNU C Library: Shared libraries ii libclamav6 0.95.2+dfsg-1~volatile1 anti-virus utility for Unix - libr ii libltdl3 1.5.26-4 A system independent dlopen wrappe ii libncurses5 5.7+20081213-1 shared libraries for terminal hand ii libtommath0 0.39-3 multiple-precision integer library ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii ucf 3.0016 Update Configuration File: preserv ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime clamav-daemon recommends no packages. Versions of packages clamav-daemon suggests: pn clamav-docs <none> (no description available) pn daemon <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org