Mailing List Archive

[clamav-users] Is Doc.Packed available as PUA category?
Hi there,

I got an error due to clamav scanning when sending an Excel document where a password is set.
The error was as follows:
"wWDZCZvPwM-1.dat: PUA.Doc.Packed.EncryptedDoc-6563700-0 FOUND"

I added the following line to clamd.conf to avoid the error, but it didn't work.
"ExcludePUA Packed"

So I changed the category to "Doc.Packed" and the error no longer occurs.
"ExcludePUA Doc.Packed"

I cannot find "Doc.Packed" in the official PUA categories:
https://www.clamav.net/documents/potentially-unwanted-applications-pua

Could you please let me know what is "Doc.Packed" category and whether it is available?

Best regards,
Toshiyuki Honda

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Is Doc.Packed available as PUA category? [ In reply to ]
Hi there,

On Thu, 14 Jan 2021, $BK\B?(B $B=SG7(B wrote:

> I got an error due to clamav scanning when sending an Excel document where a password is set.
> The error was as follows:
> "wWDZCZvPwM-1.dat: PUA.Doc.Packed.EncryptedDoc-6563700-0 FOUND"

That is not an error. That is ClamAV correctly doing what it is supposed to do.

> I added the following line to clamd.conf to avoid the error, but it didn't work.
> "ExcludePUA Packed"
>
> So I changed the category to "Doc.Packed" and the error no longer occurs.
> "ExcludePUA Doc.Packed"

Are you sure that you want to do that? Password-protected compressed
malicious mail is one of the most common issues which I see at present.
It is good practice to scan sent mail, but if you are sending the mail
then presumably you will have ways of preventing a scan from rejecting
your own mail other than disabling the scanner for all mail.

> I cannot find "Doc.Packed" in the official PUA categories:
> https://www.clamav.net/documents/potentially-unwanted-applications-pua
>
> Could you please let me know what is "Doc.Packed" category and whether it is available?

The documentation appears to me to be either misleading or out of date.

Try something like this:

$ grep -a '^PUA' .../daily.cld | cut -d'.' -f 1,2,3 | sort | uniq

It might not be a complete list but it will be a start.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Is Doc.Packed available as PUA category? [ In reply to ]
Hi G.W. Haywood,

Thank you for your reply.

> > I added the following line to clamd.conf to avoid the error, but it didn't work.
> > "ExcludePUA Packed"
> >
> So I changed the category to "Doc.Packed" and the error no longer occurs.
> "ExcludePUA Doc.Packed"
>
> Are you sure that you want to do that?  Password-protected compressed
> malicious mail is one of the most common issues which I see at present.
> It is good practice to scan sent mail, but if you are sending the mail
> then presumably you will have ways of preventing a scan from rejecting
> your own mail other than disabling the scanner for all mail.

Password-protected excels are commonly used in our customers.
I want to avoid them being identified as viruses.
If there is a category that is more suitable for password Excel than Doc.Packed, I want to exclude it.
Is there a description for Doc.Packed somewhere?

> Try something like this:
>
> $ grep -a '^PUA' .../daily.cld | cut -d'.' -f 1,2,3 | sort | uniq
>
> It might not be a complete list but it will be a start.

I confirmed more categories are included in the list than ones in the document.

Best regards,
Toshiyuki Honda

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Is Doc.Packed available as PUA category? [ In reply to ]
Hi there,

On Thu, 14 Jan 2021, $BK\B?(B $B=SG7(B wrote:

> Password-protected excels are commonly used in our customers.
> I want to avoid them being identified as viruses.
> If there is a category that is more suitable for password Excel than Doc.Packed, I want to exclude it.

One of the reasons that malicious senders send so many malicious
password protected documents by email is that it is not always easy
to detect malware in them without knowledge of the password, so by
and large scanners like ClamAV don't attempt to do it (even though
most of the time the malicious email will include the password).

If you prevent the scanner from alerting on password protected Excel
documents, and if your users open more or less any password protected
Excel document which comes their way, then you will have a problem
because they probably receive malicious documents every day.

One way to get around the problem is to educate users. For example
you might continue to reject such documents, and suggest your users do
not use Excel password protection. Microsoft password protection is
in many cases trivially cracked, I've done it for customers when they
have lost their passwords. For a simple way of accessing a document
without its password, see for example

http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/

which I found with a simple search and selected more or less at random.

The password is limited to fifteen characters, and the password's hash
is stored in the document as only a 16 bit number. A much more secure
alternative would be to store the unprotected Excel document in a .zip
archive, which is itself password protected (and using a more secure
password feature such as one provided by the archive tool, or a simple
encryption tool like GnuPG and perhaps one of the GUI front ends, of
which several are available):

https://en.wikipedia.org/wiki/GNU_Privacy_Guard

It's much better to use private keys than passwords if you can. It is
admittedly a little more effort, but it's well worth it. Whatever you
do, arrange to send keys and passwords out-of-band - not in the email
with the document! In this way you might be responsible for greatly
improving the security of your users' data, and making it much harder
for the Bad Guys to compromise your users' computers as well. :)

> Is there a description for Doc.Packed somewhere?

The signatures are readily avaiable in the signature database, you can
use 'sigtool' to display them. If you mean you would like to see the
specification for Excel documents themselves, you could look at

https://www.openoffice.org/sc/excelfileformat.pdf

but it's 250 pages.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Is Doc.Packed available as PUA category? [ In reply to ]
G.W. Haywood via clamav-users wrote:
> One of the reasons that malicious senders send so many malicious
> password protected documents by email is that it is not always easy
> to detect malware in them without knowledge of the password, so by
> and large scanners like ClamAV don't attempt to do it (even though
> most of the time the malicious email will include the password).
>
> If you prevent the scanner from alerting on password protected Excel
> documents, and if your users open more or less any password protected
> Excel document which comes their way, then you will have a problem
> because they probably receive malicious documents every day.

I deal with this class of FP by disabling the FP-causing checks in the
primary Clam instance, and enabling them in a secondary instance with a
different set of signatures whose results are scored in SpamAssasin
instead of treated as an absolute go/no-go result. (Or calling ClamAV
from a mediating layer in the mail flow that can achieve much the same
result.)

I don't recall coming across any hits in this particular category, but
what pushed me into this was the stream of otherwise legitimate "You
should really know better"-ish mail from (marketing partners of) banks
that kept triggering Heuristics.Phishing.Email.SpoofedDomain, and the
hassle of figuring out what URL some marketroid had inventively mangled
*this* time.

> One way to get around the problem is to educate users.  For example
> you might continue to reject such documents, and suggest your users do
> not use Excel password protection.  Microsoft password protection is
> in many cases trivially cracked, I've done it for customers when they
> have lost their passwords.  For a simple way of accessing a document
> without its password, see for example
>
> http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/
>
>
> which I found with a simple search and selected more or less at random.

Unfortunately that doesn't address a password-protected *document*, it
just describes allowing changes to locked spreadsheet pages. (IE, a
document you can open, but to some degree can't modify.)

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Is Doc.Packed available as PUA category? [ In reply to ]
Toshiyuk,

Thank you for your interest and use of Clam AV.

The official Clam AV signature naming convention is
(PUA.)Platform.Category.Name-ID-Revision

Thus, "Packed" is a documented category and listed on the website you
linked.

Doc.Packed means the rule is intended to alert on Document files that use
some kind of runtime packer.

Other uses of the Packed category in the official signatures:
14704 Win.Packed.
154 Andr.Packed.
53 Html.Packed.
26 Txt.Packed.
13 Email.Packed.
7 Doc.Packed.
3 Unix.Packed.
2 Img.Packed.
2 BC.Win.Packed.
1 Swf.Packed.

That rule, PUA.Doc.Packed.EncryptedDoc-6563700-0, was created in response
to Encrypted Documents being emailed with passwords in the body.
A workaround, if you don't want to use the ExcludePUA that you mention, if
you or your customers need to email encrypted documents would be to place
the file in a password protected zip file before emailing.

On Wed, Jan 13, 2021 at 7:52 PM ?? ?? <t_honda@dreamarts.co.jp> wrote:

> Hi there,
>
> I got an error due to clamav scanning when sending an Excel document where
> a password is set.
> The error was as follows:
> "wWDZCZvPwM-1.dat: PUA.Doc.Packed.EncryptedDoc-6563700-0 FOUND"
>
> I added the following line to clamd.conf to avoid the error, but it didn't
> work.
> "ExcludePUA Packed"
>
> So I changed the category to "Doc.Packed" and the error no longer occurs.
> "ExcludePUA Doc.Packed"
>
> I cannot find "Doc.Packed" in the official PUA categories:
> https://www.clamav.net/documents/potentially-unwanted-applications-pua
>
> Could you please let me know what is "Doc.Packed" category and whether it
> is available?
>
> Best regards,
> Toshiyuki Honda
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--

Matthew Molyett
Malware Researcher

mmolyett@cisco.com

Cisco.com - http://www.cisco.com

This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
Re: [clamav-users] Is Doc.Packed available as PUA category? [ In reply to ]
Hi G.W. Haywood, Matthew,

Thank you for your replies.
I understand the category definition and the risk of
excluding it.

Best regards,
Toshiyuki Honda

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml