Re: [clamav-users] PUA.Misc.DoubleExtension-zippwd-4 false positive
This signature is in the process of being dropped. The signature is a ZMD and PUA is not supported for this type. Once it is dropped it will be re-published under a non PUA name. If you would still like to ignore these alerts you can add the new signatures' names to a whitelist.ign file in your ClamAV virus db folder once they are published - this will disable the signature from alerting on your system. The drop should go through some time tonight and the signature will be republished under a different name tomorrow or Monday. Sorry for the inconvenience, Douglas On Thu, Sep 4, 2014 at 5:24 PM, Ted Gilchrist wrote: > I started receiving this virus warning, and I think it's a false alarm. I > read that I could use clamscan --detect-pua=no to have clamscan ignore such > PUA warnings, but that didn't work. > > How should I proceed? I notice that this virus definition just got added > yesterday (http://blog.gmane.org/gmane.comp.security.virus.clamav.virusdb) > > This message comes up for certain jar files. > > Thanks. > > -- > "Speech, not just for humans" > > http://www.google.com/profiles/egilchri > about.me/ted.gilchrist > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV®: The new ClamAV.net is here!
On 4. sep. 2014 07.54.34 Andreas Schulze wrote: It's handy to point a user to the official Website to proof that he's running outdated viresscanner. Freshclam gives a warning of outdates here just fine, does not need external tools to tell me that, are admins so dump todays ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] PUA.Misc.DoubleExtension-zippwd-4 false positive
I started receiving this virus warning, and I think it's a false alarm. I read that I could use clamscan --detect-pua=no to have clamscan ignore such PUA warnings, but that didn't work. How should I proceed? I notice that this virus definition just got added yesterday (http://blog.gmane.org/gmane.comp.security.virus.clamav.virusdb) This message comes up for certain jar files. Thanks. -- "Speech, not just for humans" http://www.google.com/profiles/egilchri about.me/ted.gilchrist ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamscan and PUA
Hi Doug, On Thu, Sep 4, 2014 at 11:54 AM, Douglas Goddard wrote: > Thank you for catching that. PUA is not supported for this signature type, > I will drop the signature and rename it to avoid the confusion of the > incorrect PUA label. You'll need to whitelist the new name when that > appears in a next day or so. > Ok, thanks for looking into it and responding quickly. The txt file example I used in my example was a Maildir message file with a double-extension filename MIME attachment (blah.JPG.zip) so it is not too much of a false positive. But, this signature type is picking up other stuff that is a false positive to us, such as a file named: chartfx70.desktop.jar - to me, that fits the definition of a "potentially unwanted" vs confirmed malware/virus, so we'll whitelist as you mentioned once we find the new signature name. Mark ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamscan and PUA
Thank you for catching that. PUA is not supported for this signature type, I will drop the signature and rename it to avoid the confusion of the incorrect PUA label. You'll need to whitelist the new name when that appears in a next day or so. Sorry for the inconvenience, Doug On Thu, Sep 4, 2014 at 11:45 AM, Douglas Goddard wrote: > I'm looking into the PUA issue and will follow up about that. > > > On Thu, Sep 4, 2014 at 11:43 AM, Douglas Goddard > wrote: > >> That is a zip signature looking for double extension files. So, it is >> interesting that it is alerting on a .txt file, unless that is a zip file >> in disguise. >> >> You can whitelist the signature by adding a whitelist.ign file to your >> ClamAV database directory (for me, the path is: /usr/local/share/clamav/). >> In that file put the signature names that you do not want alerting, one per >> line. >> >> This signature and the others published in their set look for common >> double extension tricks like your_document-pdf.exe. >> >> If that is truly a text file or you would like to have me take a look at >> it to see if the signature should be modified please submit it as an FP via >> http://www.clamav.net/fp. >> >> Thanks, >> Doug >> >> >> On Thu, Sep 4, 2014 at 11:23 AM, Mark Price wrote: >> >>> In the past day we have had clamscan on several servers detect infected >>> files due to: PUA.Windows.DoubleExtension-zippwd-3 >>> >>> I've read the clamscan manpage but have not had any luck with getting the >>> "--detect-pua" option to work. Example: >>> >>> # clamscan --detect-pua=no ./sample-msg1.txt >>> ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND >>> >>> --- SCAN SUMMARY --- >>> Known viruses: 3515268 >>> Engine version: 0.98 >>> Scanned directories: 0 >>> Scanned files: 1 >>> Infected files: 1 >>> Data scanned: 0.00 MB >>> Data read: 0.05 MB (ratio 0.00:1) >>> Time: 9.402 sec (0 m 9 s) >>> >>> >>> In this case, is the infected file being detected by a PUA that I should >>> be >>> able to disable with command line option? Or is "PUA" simply part of the >>> virus signature name? >>> >>> >>> Thanks, >>> >>> Mark >>> ___ >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamscan and PUA
I'm looking into the PUA issue and will follow up about that. On Thu, Sep 4, 2014 at 11:43 AM, Douglas Goddard wrote: > That is a zip signature looking for double extension files. So, it is > interesting that it is alerting on a .txt file, unless that is a zip file > in disguise. > > You can whitelist the signature by adding a whitelist.ign file to your > ClamAV database directory (for me, the path is: /usr/local/share/clamav/). > In that file put the signature names that you do not want alerting, one per > line. > > This signature and the others published in their set look for common > double extension tricks like your_document-pdf.exe. > > If that is truly a text file or you would like to have me take a look at > it to see if the signature should be modified please submit it as an FP via > http://www.clamav.net/fp. > > Thanks, > Doug > > > On Thu, Sep 4, 2014 at 11:23 AM, Mark Price wrote: > >> In the past day we have had clamscan on several servers detect infected >> files due to: PUA.Windows.DoubleExtension-zippwd-3 >> >> I've read the clamscan manpage but have not had any luck with getting the >> "--detect-pua" option to work. Example: >> >> # clamscan --detect-pua=no ./sample-msg1.txt >> ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND >> >> --- SCAN SUMMARY --- >> Known viruses: 3515268 >> Engine version: 0.98 >> Scanned directories: 0 >> Scanned files: 1 >> Infected files: 1 >> Data scanned: 0.00 MB >> Data read: 0.05 MB (ratio 0.00:1) >> Time: 9.402 sec (0 m 9 s) >> >> >> In this case, is the infected file being detected by a PUA that I should >> be >> able to disable with command line option? Or is "PUA" simply part of the >> virus signature name? >> >> >> Thanks, >> >> Mark >> ___ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamscan and PUA
That is a zip signature looking for double extension files. So, it is interesting that it is alerting on a .txt file, unless that is a zip file in disguise. You can whitelist the signature by adding a whitelist.ign file to your ClamAV database directory (for me, the path is: /usr/local/share/clamav/). In that file put the signature names that you do not want alerting, one per line. This signature and the others published in their set look for common double extension tricks like your_document-pdf.exe. If that is truly a text file or you would like to have me take a look at it to see if the signature should be modified please submit it as an FP via http://www.clamav.net/fp. Thanks, Doug On Thu, Sep 4, 2014 at 11:23 AM, Mark Price wrote: > In the past day we have had clamscan on several servers detect infected > files due to: PUA.Windows.DoubleExtension-zippwd-3 > > I've read the clamscan manpage but have not had any luck with getting the > "--detect-pua" option to work. Example: > > # clamscan --detect-pua=no ./sample-msg1.txt > ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND > > --- SCAN SUMMARY --- > Known viruses: 3515268 > Engine version: 0.98 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.05 MB (ratio 0.00:1) > Time: 9.402 sec (0 m 9 s) > > > In this case, is the infected file being detected by a PUA that I should be > able to disable with command line option? Or is "PUA" simply part of the > virus signature name? > > > Thanks, > > Mark > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamscan and PUA
In the past day we have had clamscan on several servers detect infected files due to: PUA.Windows.DoubleExtension-zippwd-3 I've read the clamscan manpage but have not had any luck with getting the "--detect-pua" option to work. Example: # clamscan --detect-pua=no ./sample-msg1.txt ./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND --- SCAN SUMMARY --- Known viruses: 3515268 Engine version: 0.98 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.05 MB (ratio 0.00:1) Time: 9.402 sec (0 m 9 s) In this case, is the infected file being detected by a PUA that I should be able to disable with command line option? Or is "PUA" simply part of the virus signature name? Thanks, Mark ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV®: The new ClamAV.net is here!
On Thu, Sep 04, 2014 at 07:53:30AM +0200, Andreas Schulze wrote: > Am 26.08.2014 20:56, schrieb Joel Esler (jesler): > > * Elimination of dead links and pages > > > I was told the old website contained the current patternversion > somewhere. That function is also gone away. > It's handy to point a user to the official Website to proof that he's > running outdated viresscanner. We're looking at putting the dates for the downloads back on the site. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos pgp06bPcPdDtt.pgp Description: PGP signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
