Mailing List Archive

[clamav-users] PUA detected. False Positive?
Clamav is finding this:

"X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
source I trust (well, it is a professional organization anyway).

Is there any way to tell clamav not to run the check for this particular
client and this particular "trojan"? Just not check for it at all?

Or should I submit it as a "False positive" and hope it goes away?


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
A "PUA" is a "potentially unwanted application", not necessarily malicious.
You can disable PUA checks by ensuring that your clamd configuration has
"DetectPUA" set to no.

For reference, the signature is looking for bitwise math on CharCodeAt()
operations in HTML files.

VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^


I created a bogus test file that matches the signature and, with default
configuration settings, it is not detected. But when I force PUA detection
to be on, it is detected.

lothlorien:~$ clamscan test.html
Loading: 6s, ETA: 0s [========================>] 8.62M/8.62M sigs

Compiling: 2s, ETA: 0s [========================>] 41/41 tasks

~/test.html: OK

----------- SCAN SUMMARY -----------
Known viruses: 8622174
Engine version: 0.105.0
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 9.865 sec (0 m 9 s)
Start Date: 2022:07:15 16:31:01
End Date: 2022:07:15 16:31:11

lothlorien:~$ clamscan --detect-pua=yes test.html
Loading: 6s, ETA: 0s [========================>] 8.64M/8.64M sigs

Compiling: 2s, ETA: 0s [========================>] 41/41 tasks

~/test.html: PUA.Win.Trojan.Xored-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8637594
Engine version: 0.105.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 9.614 sec (0 m 9 s)
Start Date: 2022:07:15 16:31:17
End Date: 2022:07:15 16:31:26

--Maarten

On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists@j4computers.com> wrote:

> Clamav is finding this:
>
> "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
> source I trust (well, it is a professional organization anyway).
>
> Is there any way to tell clamav not to run the check for this particular
> client and this particular "trojan"? Just not check for it at all?
>
> Or should I submit it as a "False positive" and hope it goes away?
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
Thank you. I believe I understand.

I was actually looking for a way to turn off checking for this
particular "PUA", hopefully just for this sender, while keeping PUA
checks still enabled for other cases.

In the past I've not had great success searching entirely on my own.

joe a.

On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> A "PUA" is a "potentially unwanted application", not necessarily
> malicious. You can disable PUA checks by ensuring that your clamd
> configuration has "DetectPUA" set to no.
>
> For reference, the signature is looking for bitwise math on CharCodeAt()
> operations in HTML files.
>
> VIRUS NAME: PUA.Win.Trojan.Xored-1
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>
>
> I created a bogus test file that matches the signature and, with default
> configuration settings, it is not detected. But when I force PUA
> detection to be on, it is detected.
>
> lothlorien:~$ clamscan test.html
> Loading:     6s, ETA:   0s [========================>]    8.62M/8.62M sigs
> Compiling:   2s, ETA:   0s [========================>]       41/41 tasks
>
> ~/test.html: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8622174
> Engine version: 0.105.0
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 9.865 sec (0 m 9 s)
> Start Date: 2022:07:15 16:31:01
> End Date:   2022:07:15 16:31:11
>
> lothlorien:~$ clamscan --detect-pua=yes test.html
> Loading:     6s, ETA:   0s [========================>]    8.64M/8.64M sigs
> Compiling:   2s, ETA:   0s [========================>]       41/41 tasks
>
> ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8637594
> Engine version: 0.105.0
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 9.614 sec (0 m 9 s)
> Start Date: 2022:07:15 16:31:17
> End Date:   2022:07:15 16:31:26
>
> --Maarten
>
> On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists@j4computers.com
> <mailto:joea-lists@j4computers.com>> wrote:
>
> Clamav is finding this:
>
> "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
> source I trust (well, it is a professional organization anyway).
>
> Is there any way to tell clamav not to run the check for this
> particular
> client and this particular "trojan"? Just not check for it at all?
>
> Or should I submit it as a "False positive" and hope it goes away?
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>
>
> https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
To turn it off entirely, you would create a file ending in .ign2 and put
the signature name in that file.

I'm not sure there is a good way to do it only for that particular sender,
unless you have a way to send those messages to a differently configured
ClamAV setup. I don't do a lot of email scanning, so I'm not sure what the
limitations are there.

--Maarten

On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists@j4computers.com> wrote:

> Thank you. I believe I understand.
>
> I was actually looking for a way to turn off checking for this
> particular "PUA", hopefully just for this sender, while keeping PUA
> checks still enabled for other cases.
>
> In the past I've not had great success searching entirely on my own.
>
> joe a.
>
> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> > A "PUA" is a "potentially unwanted application", not necessarily
> > malicious. You can disable PUA checks by ensuring that your clamd
> > configuration has "DetectPUA" set to no.
> >
> > For reference, the signature is looking for bitwise math on CharCodeAt()
> > operations in HTML files.
> >
> > VIRUS NAME: PUA.Win.Trojan.Xored-1
> > TARGET TYPE: HTML
> > OFFSET: *
> > DECODED SIGNATURE:
> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
> >
> >
> > I created a bogus test file that matches the signature and, with default
> > configuration settings, it is not detected. But when I force PUA
> > detection to be on, it is detected.
> >
> > lothlorien:~$ clamscan test.html
> > Loading: 6s, ETA: 0s [========================>] 8.62M/8.62M
> sigs
> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
> >
> > ~/test.html: OK
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 8622174
> > Engine version: 0.105.0
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 0.00 MB
> > Data read: 0.00 MB (ratio 0.00:1)
> > Time: 9.865 sec (0 m 9 s)
> > Start Date: 2022:07:15 16:31:01
> > End Date: 2022:07:15 16:31:11
> >
> > lothlorien:~$ clamscan --detect-pua=yes test.html
> > Loading: 6s, ETA: 0s [========================>] 8.64M/8.64M
> sigs
> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
> >
> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 8637594
> > Engine version: 0.105.0
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 1
> > Data scanned: 0.00 MB
> > Data read: 0.00 MB (ratio 0.00:1)
> > Time: 9.614 sec (0 m 9 s)
> > Start Date: 2022:07:15 16:31:17
> > End Date: 2022:07:15 16:31:26
> >
> > --Maarten
> >
> > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists@j4computers.com
> > <mailto:joea-lists@j4computers.com>> wrote:
> >
> > Clamav is finding this:
> >
> > "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails from a
> > source I trust (well, it is a professional organization anyway).
> >
> > Is there any way to tell clamav not to run the check for this
> > particular
> > client and this particular "trojan"? Just not check for it at all?
> >
> > Or should I submit it as a "False positive" and hope it goes away?
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> > <https://github.com/Cisco-Talos/clamav-documentation>
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
> > <https://docs.clamav.net/#mailing-lists-and-chat>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and
get this error:

"LibClamAV Error: cli_loadign: No signature name provided"

Is the signature name not "PUA.Win.Trojan.Xored-1"

joe a.

On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
> To turn it off entirely, you would create a file ending in .ign2 and put
> the signature name in that file.
>
> I'm not sure there is a good way to do it only for that particular
> sender, unless you have a way to send those messages to a differently
> configured ClamAV setup. I don't do a lot of email scanning, so I'm not
> sure what the limitations are there.
>
> --Maarten
>
> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists@j4computers.com
> <mailto:joea-lists@j4computers.com>> wrote:
>
> Thank you.  I believe I understand.
>
> I was actually looking for a way to turn off checking for this
> particular "PUA", hopefully just for this sender, while keeping PUA
> checks still enabled for other cases.
>
> In the past I've not had great success searching entirely on my own.
>
> joe a.
>
> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> > A "PUA" is a "potentially unwanted application", not necessarily
> > malicious. You can disable PUA checks by ensuring that your clamd
> > configuration has "DetectPUA" set to no.
> >
> > For reference, the signature is looking for bitwise math on
> CharCodeAt()
> > operations in HTML files.
> >
> > VIRUS NAME: PUA.Win.Trojan.Xored-1
> > TARGET TYPE: HTML
> > OFFSET: *
> > DECODED SIGNATURE:
> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
> >
> >
> > I created a bogus test file that matches the signature and, with
> default
> > configuration settings, it is not detected. But when I force PUA
> > detection to be on, it is detected.
> >
> > lothlorien:~$ clamscan test.html
> > Loading:     6s, ETA:   0s [========================>]
>  8.62M/8.62M sigs
> > Compiling:   2s, ETA:   0s [========================>]
> 41/41 tasks
> >
> > ~/test.html: OK
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 8622174
> > Engine version: 0.105.0
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 0.00 MB
> > Data read: 0.00 MB (ratio 0.00:1)
> > Time: 9.865 sec (0 m 9 s)
> > Start Date: 2022:07:15 16:31:01
> > End Date:   2022:07:15 16:31:11
> >
> > lothlorien:~$ clamscan --detect-pua=yes test.html
> > Loading:     6s, ETA:   0s [========================>]
>  8.64M/8.64M sigs
> > Compiling:   2s, ETA:   0s [========================>]
> 41/41 tasks
> >
> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 8637594
> > Engine version: 0.105.0
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 1
> > Data scanned: 0.00 MB
> > Data read: 0.00 MB (ratio 0.00:1)
> > Time: 9.614 sec (0 m 9 s)
> > Start Date: 2022:07:15 16:31:17
> > End Date:   2022:07:15 16:31:26
> >
> > --Maarten
> >
> > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists@j4computers.com
> <mailto:joea-lists@j4computers.com>
> > <mailto:joea-lists@j4computers.com
> <mailto:joea-lists@j4computers.com>>> wrote:
> >
> >     Clamav is finding this:
> >
> >     "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
> from a
> >     source I trust (well, it is a professional organization anyway).
> >
> >     Is there any way to tell clamav not to run the check for this
> >     particular
> >     client and this particular "trojan"? Just not check for it at
> all?
> >
> >     Or should I submit it as a "False positive" and hope it goes
> away?
> >
> >
> >     _______________________________________________
> >
> >     clamav-users mailing list
> > clamav-users@lists.clamav.net
> <mailto:clamav-users@lists.clamav.net>
> <mailto:clamav-users@lists.clamav.net
> <mailto:clamav-users@lists.clamav.net>>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >     <https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> >
> >
> >     Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>
> >     <https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>>
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>
> >     <https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> <https://github.com/Cisco-Talos/clamav-documentation>
>
> https://docs.clamav.net/#mailing-lists-and-chat
> <https://docs.clamav.net/#mailing-lists-and-chat>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
That error was corrected, but now the error is "Malformed Database".

Is it not a simple text string on a single line?

joe a.

On 7/15/2022 6:29 PM, joe a wrote:
> My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and
> get this error:
>
> "LibClamAV Error: cli_loadign: No signature name provided"
>
> Is the signature name not "PUA.Win.Trojan.Xored-1"
>
> joe a.
>
> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>> To turn it off entirely, you would create a file ending in .ign2 and
>> put the signature name in that file.
>>
>> I'm not sure there is a good way to do it only for that particular
>> sender, unless you have a way to send those messages to a differently
>> configured ClamAV setup. I don't do a lot of email scanning, so I'm
>> not sure what the limitations are there.
>>
>> --Maarten
>>
>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists@j4computers.com
>> <mailto:joea-lists@j4computers.com>> wrote:
>>
>>     Thank you.  I believe I understand.
>>
>>     I was actually looking for a way to turn off checking for this
>>     particular "PUA", hopefully just for this sender, while keeping PUA
>>     checks still enabled for other cases.
>>
>>     In the past I've not had great success searching entirely on my own.
>>
>>     joe a.
>>
>>     On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>      > A "PUA" is a "potentially unwanted application", not necessarily
>>      > malicious. You can disable PUA checks by ensuring that your clamd
>>      > configuration has "DetectPUA" set to no.
>>      >
>>      > For reference, the signature is looking for bitwise math on
>>     CharCodeAt()
>>      > operations in HTML files.
>>      >
>>      > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>      > TARGET TYPE: HTML
>>      > OFFSET: *
>>      > DECODED SIGNATURE:
>>      > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>      >
>>      >
>>      > I created a bogus test file that matches the signature and, with
>>     default
>>      > configuration settings, it is not detected. But when I force PUA
>>      > detection to be on, it is detected.
>>      >
>>      > lothlorien:~$ clamscan test.html
>>      > Loading:     6s, ETA:   0s [========================>]
>>  8.62M/8.62M sigs
>>      > Compiling:   2s, ETA:   0s [========================>]
>> 41/41 tasks
>>      >
>>      > ~/test.html: OK
>>      >
>>      > ----------- SCAN SUMMARY -----------
>>      > Known viruses: 8622174
>>      > Engine version: 0.105.0
>>      > Scanned directories: 0
>>      > Scanned files: 1
>>      > Infected files: 0
>>      > Data scanned: 0.00 MB
>>      > Data read: 0.00 MB (ratio 0.00:1)
>>      > Time: 9.865 sec (0 m 9 s)
>>      > Start Date: 2022:07:15 16:31:01
>>      > End Date:   2022:07:15 16:31:11
>>      >
>>      > lothlorien:~$ clamscan --detect-pua=yes test.html
>>      > Loading:     6s, ETA:   0s [========================>]
>>  8.64M/8.64M sigs
>>      > Compiling:   2s, ETA:   0s [========================>]
>> 41/41 tasks
>>      >
>>      > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>      >
>>      > ----------- SCAN SUMMARY -----------
>>      > Known viruses: 8637594
>>      > Engine version: 0.105.0
>>      > Scanned directories: 0
>>      > Scanned files: 1
>>      > Infected files: 1
>>      > Data scanned: 0.00 MB
>>      > Data read: 0.00 MB (ratio 0.00:1)
>>      > Time: 9.614 sec (0 m 9 s)
>>      > Start Date: 2022:07:15 16:31:17
>>      > End Date:   2022:07:15 16:31:26
>>      >
>>      > --Maarten
>>      >
>>      > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists@j4computers.com
>>     <mailto:joea-lists@j4computers.com>
>>      > <mailto:joea-lists@j4computers.com
>>     <mailto:joea-lists@j4computers.com>>> wrote:
>>      >
>>      >     Clamav is finding this:
>>      >
>>      >     "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
>>     from a
>>      >     source I trust (well, it is a professional organization
>> anyway).
>>      >
>>      >     Is there any way to tell clamav not to run the check for this
>>      >     particular
>>      >     client and this particular "trojan"? Just not check for it at
>>     all?
>>      >
>>      >     Or should I submit it as a "False positive" and hope it goes
>>     away?
>>      >
>>      >
>>      >     _______________________________________________
>>      >
>>      >     clamav-users mailing list
>>      > clamav-users@lists.clamav.net
>>     <mailto:clamav-users@lists.clamav.net>
>>     <mailto:clamav-users@lists.clamav.net
>>     <mailto:clamav-users@lists.clamav.net>>
>>      > https://lists.clamav.net/mailman/listinfo/clamav-users
>>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>      >     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>     <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>      >
>>      >
>>      >     Help us build a comprehensive ClamAV guide:
>>      > https://github.com/Cisco-Talos/clamav-documentation
>>     <https://github.com/Cisco-Talos/clamav-documentation>
>>      >     <https://github.com/Cisco-Talos/clamav-documentation
>>     <https://github.com/Cisco-Talos/clamav-documentation>>
>>      >
>>      > https://docs.clamav.net/#mailing-lists-and-chat
>>     <https://docs.clamav.net/#mailing-lists-and-chat>
>>      >     <https://docs.clamav.net/#mailing-lists-and-chat
>>     <https://docs.clamav.net/#mailing-lists-and-chat>>
>>      >
>>      >
>>      > _______________________________________________
>>      >
>>      > clamav-users mailing list
>>      > clamav-users@lists.clamav.net
>> <mailto:clamav-users@lists.clamav.net>
>>      > https://lists.clamav.net/mailman/listinfo/clamav-users
>>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>      >
>>      >
>>      > Help us build a comprehensive ClamAV guide:
>>      > https://github.com/Cisco-Talos/clamav-documentation
>>     <https://github.com/Cisco-Talos/clamav-documentation>
>>      >
>>      > https://docs.clamav.net/#mailing-lists-and-chat
>>     <https://docs.clamav.net/#mailing-lists-and-chat>
>>     _______________________________________________
>>
>>     clamav-users mailing list
>>     clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>     https://lists.clamav.net/mailman/listinfo/clamav-users
>>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>
>>
>>     Help us build a comprehensive ClamAV guide:
>>     https://github.com/Cisco-Talos/clamav-documentation
>>     <https://github.com/Cisco-Talos/clamav-documentation>
>>
>>     https://docs.clamav.net/#mailing-lists-and-chat
>>     <https://docs.clamav.net/#mailing-lists-and-chat>
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
Yes, just make sure you don't have embedded spaces, carriage returns or other invisible characters.

-Al-
--
ClamXAV User

> On Jul 15, 2022, at 8:43 PM, joe a <joea-lists@j4computers.com> wrote:
>
> That error was corrected, but now the error is "Malformed Database".
>
> Is it not a simple text string on a single line?
>
> joe a.
>
> On 7/15/2022 6:29 PM, joe a wrote:
>> My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and get this error:
>> "LibClamAV Error: cli_loadign: No signature name provided"
>> Is the signature name not "PUA.Win.Trojan.Xored-1"
>> joe a.
>> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>>> To turn it off entirely, you would create a file ending in .ign2 and put the signature name in that file.
>>>
>>> I'm not sure there is a good way to do it only for that particular sender, unless you have a way to send those messages to a differently configured ClamAV setup. I don't do a lot of email scanning, so I'm not sure what the limitations are there.
>>>
>>> --Maarten
>>>
>>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>> wrote:
>>>
>>> Thank you. I believe I understand.
>>>
>>> I was actually looking for a way to turn off checking for this
>>> particular "PUA", hopefully just for this sender, while keeping PUA
>>> checks still enabled for other cases.
>>>
>>> In the past I've not had great success searching entirely on my own.
>>>
>>> joe a.
>>>
>>> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>> > A "PUA" is a "potentially unwanted application", not necessarily
>>> > malicious. You can disable PUA checks by ensuring that your clamd
>>> > configuration has "DetectPUA" set to no.
>>> >
>>> > For reference, the signature is looking for bitwise math on
>>> CharCodeAt()
>>> > operations in HTML files.
>>> >
>>> > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>> > TARGET TYPE: HTML
>>> > OFFSET: *
>>> > DECODED SIGNATURE:
>>> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>> >
>>> >
>>> > I created a bogus test file that matches the signature and, with
>>> default
>>> > configuration settings, it is not detected. But when I force PUA
>>> > detection to be on, it is detected.
>>> >
>>> > lothlorien:~$ clamscan test.html
>>> > Loading: 6s, ETA: 0s [========================>] 8.62M/8.62M sigs
>>> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
>>> >
>>> > ~/test.html: OK
>>> >
>>> > ----------- SCAN SUMMARY -----------
>>> > Known viruses: 8622174
>>> > Engine version: 0.105.0
>>> > Scanned directories: 0
>>> > Scanned files: 1
>>> > Infected files: 0
>>> > Data scanned: 0.00 MB
>>> > Data read: 0.00 MB (ratio 0.00:1)
>>> > Time: 9.865 sec (0 m 9 s)
>>> > Start Date: 2022:07:15 16:31:01
>>> > End Date: 2022:07:15 16:31:11
>>> >
>>> > lothlorien:~$ clamscan --detect-pua=yes test.html
>>> > Loading: 6s, ETA: 0s [========================>] 8.64M/8.64M sigs
>>> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
>>> >
>>> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>> >
>>> > ----------- SCAN SUMMARY -----------
>>> > Known viruses: 8637594
>>> > Engine version: 0.105.0
>>> > Scanned directories: 0
>>> > Scanned files: 1
>>> > Infected files: 1
>>> > Data scanned: 0.00 MB
>>> > Data read: 0.00 MB (ratio 0.00:1)
>>> > Time: 9.614 sec (0 m 9 s)
>>> > Start Date: 2022:07:15 16:31:17
>>> > End Date: 2022:07:15 16:31:26
>>> >
>>> > --Maarten
>>> >
>>> > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists@j4computers.com
>>> <mailto:joea-lists@j4computers.com>
>>> > <mailto:joea-lists@j4computers.com
>>> <mailto:joea-lists@j4computers.com>>> wrote:
>>> >
>>> > Clamav is finding this:
>>> >
>>> > "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
>>> from a
>>> > source I trust (well, it is a professional organization anyway).
>>> >
>>> > Is there any way to tell clamav not to run the check for this
>>> > particular
>>> > client and this particular "trojan"? Just not check for it at
>>> all?
>>> >
>>> > Or should I submit it as a "False positive" and hope it goes
>>> away?
>>> >
>>> >
>>> > _______________________________________________
>>> >
>>> > clamav-users mailing list
>>> > clamav-users@lists.clamav.net
>>> <mailto:clamav-users@lists.clamav.net>
>>> <mailto:clamav-users@lists.clamav.net
>>> <mailto:clamav-users@lists.clamav.net>>
>>> > https://lists.clamav.net/mailman/listinfo/clamav-users
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>> > <https://lists.clamav.net/mailman/listinfo/clamav-users
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>> >
>>> >
>>> > Help us build a comprehensive ClamAV guide:
>>> > https://github.com/Cisco-Talos/clamav-documentation
>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>> > <https://github.com/Cisco-Talos/clamav-documentation
>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>> >
>>> > https://docs.clamav.net/#mailing-lists-and-chat
>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>> > <https://docs.clamav.net/#mailing-lists-and-chat
>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>> >
>>> >
>>> > _______________________________________________
>>> >
>>> > clamav-users mailing list
>>> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> > https://lists.clamav.net/mailman/listinfo/clamav-users
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>> >
>>> >
>>> > Help us build a comprehensive ClamAV guide:
>>> > https://github.com/Cisco-Talos/clamav-documentation
>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>> >
>>> > https://docs.clamav.net/#mailing-lists-and-chat
>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>> https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat



Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
Does that include CR at the end of a line? Docs suggest multiple
ignores in one file, each on it's own line. Did I misread? (not the
first time)

joe a

On 7/16/2022 12:18 AM, Al Varnell via clamav-users wrote:
> Yes, just make sure you don't have embedded spaces, carriage returns or
> other invisible characters.
>
> -Al-
> --
> ClamXAV User
>
>> On Jul 15, 2022, at 8:43 PM, joe a <joea-lists@j4computers.com
>> <mailto:joea-lists@j4computers.com>> wrote:
>>
>> That error was corrected, but now the error is "Malformed Database".
>>
>> Is it not a simple text string on a single line?
>>
>> joe a.
>>
>> On 7/15/2022 6:29 PM, joe a wrote:
>>> My ignorance shows. Created file "/my_install_path/ignore_list.ign2"
>>> and get this error:
>>> "LibClamAV Error: cli_loadign: No signature name provided"
>>> Is the signature name not "PUA.Win.Trojan.Xored-1"
>>> joe a.
>>> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>>>> To turn it off entirely, you would create a file ending in .ign2 and
>>>> put the signature name in that file.
>>>>
>>>> I'm not sure there is a good way to do it only for that particular
>>>> sender, unless you have a way to send those messages to a
>>>> differently configured ClamAV setup. I don't do a lot of email
>>>> scanning, so I'm not sure what the limitations are there.
>>>>
>>>> --Maarten
>>>>
>>>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists@j4computers.com
>>>> <mailto:joea-lists@j4computers.com>
>>>> <mailto:joea-lists@j4computers.com
>>>> <mailto:joea-lists@j4computers.com>>> wrote:
>>>>
>>>>     Thank you.  I believe I understand.
>>>>
>>>>     I was actually looking for a way to turn off checking for this
>>>>     particular "PUA", hopefully just for this sender, while keeping PUA
>>>>     checks still enabled for other cases.
>>>>
>>>>     In the past I've not had great success searching entirely on my own.
>>>>
>>>>     joe a.
>>>>
>>>>     On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>>>      > A "PUA" is a "potentially unwanted application", not necessarily
>>>>      > malicious. You can disable PUA checks by ensuring that your clamd
>>>>      > configuration has "DetectPUA" set to no.
>>>>      >
>>>>      > For reference, the signature is looking for bitwise math on
>>>>     CharCodeAt()
>>>>      > operations in HTML files.
>>>>      >
>>>>      > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>>>      > TARGET TYPE: HTML
>>>>      > OFFSET: *
>>>>      > DECODED SIGNATURE:
>>>>      > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>>>      >
>>>>      >
>>>>      > I created a bogus test file that matches the signature and, with
>>>>     default
>>>>      > configuration settings, it is not detected. But when I force PUA
>>>>      > detection to be on, it is detected.
>>>>      >
>>>>      > lothlorien:~$ clamscan test.html
>>>>      > Loading:     6s, ETA:   0s [========================>]
>>>>       8.62M/8.62M sigs
>>>>      > Compiling:   2s, ETA:   0s [========================>]
>>>>     41/41 tasks
>>>>      >
>>>>      > ~/test.html: OK
>>>>      >
>>>>      > ----------- SCAN SUMMARY -----------
>>>>      > Known viruses: 8622174
>>>>      > Engine version: 0.105.0
>>>>      > Scanned directories: 0
>>>>      > Scanned files: 1
>>>>      > Infected files: 0
>>>>      > Data scanned: 0.00 MB
>>>>      > Data read: 0.00 MB (ratio 0.00:1)
>>>>      > Time: 9.865 sec (0 m 9 s)
>>>>      > Start Date: 2022:07:15 16:31:01
>>>>      > End Date:   2022:07:15 16:31:11
>>>>      >
>>>>      > lothlorien:~$ clamscan --detect-pua=yes test.html
>>>>      > Loading:     6s, ETA:   0s [========================>]
>>>>       8.64M/8.64M sigs
>>>>      > Compiling:   2s, ETA:   0s [========================>]
>>>>     41/41 tasks
>>>>      >
>>>>      > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>>>      >
>>>>      > ----------- SCAN SUMMARY -----------
>>>>      > Known viruses: 8637594
>>>>      > Engine version: 0.105.0
>>>>      > Scanned directories: 0
>>>>      > Scanned files: 1
>>>>      > Infected files: 1
>>>>      > Data scanned: 0.00 MB
>>>>      > Data read: 0.00 MB (ratio 0.00:1)
>>>>      > Time: 9.614 sec (0 m 9 s)
>>>>      > Start Date: 2022:07:15 16:31:17
>>>>      > End Date:   2022:07:15 16:31:26
>>>>      >
>>>>      > --Maarten
>>>>      >
>>>>      > On Fri, Jul 15, 2022 at 4:02 PM joe a
>>>> <joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>
>>>>     <mailto:joea-lists@j4computers.com
>>>> <mailto:joea-lists@j4computers.com>>
>>>>      > <mailto:joea-lists@j4computers.com
>>>> <mailto:joea-lists@j4computers.com>
>>>>     <mailto:joea-lists@j4computers.com
>>>> <mailto:joea-lists@j4computers.com>>>> wrote:
>>>>      >
>>>>      >     Clamav is finding this:
>>>>      >
>>>>      >     "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
>>>>     from a
>>>>      >     source I trust (well, it is a professional organization
>>>> anyway).
>>>>      >
>>>>      >     Is there any way to tell clamav not to run the check for this
>>>>      >     particular
>>>>      >     client and this particular "trojan"? Just not check for it at
>>>>     all?
>>>>      >
>>>>      >     Or should I submit it as a "False positive" and hope it goes
>>>>     away?
>>>>      >
>>>>      >
>>>>      >     _______________________________________________
>>>>      >
>>>>      >     clamav-users mailing list
>>>>      > clamav-users@lists.clamav.net
>>>> <mailto:clamav-users@lists.clamav.net>
>>>>     <mailto:clamav-users@lists.clamav.net
>>>> <mailto:clamav-users@lists.clamav.net>>
>>>>     <mailto:clamav-users@lists.clamav.net
>>>> <mailto:clamav-users@lists.clamav.net>
>>>>     <mailto:clamav-users@lists.clamav.net
>>>> <mailto:clamav-users@lists.clamav.net>>>
>>>>      > https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>      >     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>>
>>>>      >
>>>>      >
>>>>      >     Help us build a comprehensive ClamAV guide:
>>>>      > https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>     <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>      >     <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>     <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>>>
>>>>      >
>>>>      > https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>     <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>      >     <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>     <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>>
>>>>      >
>>>>      >
>>>>      > _______________________________________________
>>>>      >
>>>>      > clamav-users mailing list
>>>>      > clamav-users@lists.clamav.net
>>>> <mailto:clamav-users@lists.clamav.net>
>>>> <mailto:clamav-users@lists.clamav.net
>>>> <mailto:clamav-users@lists.clamav.net>>
>>>>      > https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>      >
>>>>      >
>>>>      > Help us build a comprehensive ClamAV guide:
>>>>      > https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>     <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>      >
>>>>      > https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>     <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>     _______________________________________________
>>>>
>>>>     clamav-users mailing list
>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>> <mailto:clamav-users@lists.clamav.net
>>>> <mailto:clamav-users@lists.clamav.net>>
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>
>>>>
>>>>     Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>     <https://github.com/Cisco-Talos/clamav-documentation
>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>     <https://docs.clamav.net/#mailing-lists-and-chat
>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>
>>>>
>>>> _______________________________________________
>>>>
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>> https://docs.clamav.net/#mailing-lists-and-chat
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>
>
> Powered by
> *Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>*-
> still your inbox, but smarter.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
Apparently resolved by having *only* the signature name on the line.

joe a

On 7/16/2022 3:32 PM, joe a wrote:
> Does that include CR at the end of a line?   Docs suggest multiple
> ignores in one file, each on it's own line.   Did I misread? (not the
> first time)
>
> joe a
>
> On 7/16/2022 12:18 AM, Al Varnell via clamav-users wrote:
>> Yes, just make sure you don't have embedded spaces, carriage returns
>> or other invisible characters.
>>
>> -Al-
>> --
>> ClamXAV User
>>
>>> On Jul 15, 2022, at 8:43 PM, joe a <joea-lists@j4computers.com
>>> <mailto:joea-lists@j4computers.com>> wrote:
>>>
>>> That error was corrected, but now the error is "Malformed Database".
>>>
>>> Is it not a simple text string on a single line?
>>>
>>> joe a.
>>>
>>> On 7/15/2022 6:29 PM, joe a wrote:
>>>> My ignorance shows. Created file "/my_install_path/ignore_list.ign2"
>>>> and get this error:
>>>> "LibClamAV Error: cli_loadign: No signature name provided"
>>>> Is the signature name not "PUA.Win.Trojan.Xored-1"
>>>> joe a.
>>>> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>>>>> To turn it off entirely, you would create a file ending in .ign2
>>>>> and put the signature name in that file.
>>>>>
>>>>> I'm not sure there is a good way to do it only for that particular
>>>>> sender, unless you have a way to send those messages to a
>>>>> differently configured ClamAV setup. I don't do a lot of email
>>>>> scanning, so I'm not sure what the limitations are there.
>>>>>
>>>>> --Maarten
>>>>>
>>>>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists@j4computers.com
>>>>> <mailto:joea-lists@j4computers.com>
>>>>> <mailto:joea-lists@j4computers.com
>>>>> <mailto:joea-lists@j4computers.com>>> wrote:
>>>>>
>>>>>     Thank you.  I believe I understand.
>>>>>
>>>>>     I was actually looking for a way to turn off checking for this
>>>>>     particular "PUA", hopefully just for this sender, while keeping
>>>>> PUA
>>>>>     checks still enabled for other cases.
>>>>>
>>>>>     In the past I've not had great success searching entirely on my
>>>>> own.
>>>>>
>>>>>     joe a.
>>>>>
>>>>>     On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>>>>      > A "PUA" is a "potentially unwanted application", not
>>>>> necessarily
>>>>>      > malicious. You can disable PUA checks by ensuring that your
>>>>> clamd
>>>>>      > configuration has "DetectPUA" set to no.
>>>>>      >
>>>>>      > For reference, the signature is looking for bitwise math on
>>>>>     CharCodeAt()
>>>>>      > operations in HTML files.
>>>>>      >
>>>>>      > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>>>>      > TARGET TYPE: HTML
>>>>>      > OFFSET: *
>>>>>      > DECODED SIGNATURE:
>>>>>      > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>>>>      >
>>>>>      >
>>>>>      > I created a bogus test file that matches the signature and,
>>>>> with
>>>>>     default
>>>>>      > configuration settings, it is not detected. But when I force
>>>>> PUA
>>>>>      > detection to be on, it is detected.
>>>>>      >
>>>>>      > lothlorien:~$ clamscan test.html
>>>>>      > Loading:     6s, ETA:   0s [========================>]
>>>>>       8.62M/8.62M sigs
>>>>>      > Compiling:   2s, ETA:   0s [========================>]
>>>>>     41/41 tasks
>>>>>      >
>>>>>      > ~/test.html: OK
>>>>>      >
>>>>>      > ----------- SCAN SUMMARY -----------
>>>>>      > Known viruses: 8622174
>>>>>      > Engine version: 0.105.0
>>>>>      > Scanned directories: 0
>>>>>      > Scanned files: 1
>>>>>      > Infected files: 0
>>>>>      > Data scanned: 0.00 MB
>>>>>      > Data read: 0.00 MB (ratio 0.00:1)
>>>>>      > Time: 9.865 sec (0 m 9 s)
>>>>>      > Start Date: 2022:07:15 16:31:01
>>>>>      > End Date:   2022:07:15 16:31:11
>>>>>      >
>>>>>      > lothlorien:~$ clamscan --detect-pua=yes test.html
>>>>>      > Loading:     6s, ETA:   0s [========================>]
>>>>>       8.64M/8.64M sigs
>>>>>      > Compiling:   2s, ETA:   0s [========================>]
>>>>>     41/41 tasks
>>>>>      >
>>>>>      > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>>>>      >
>>>>>      > ----------- SCAN SUMMARY -----------
>>>>>      > Known viruses: 8637594
>>>>>      > Engine version: 0.105.0
>>>>>      > Scanned directories: 0
>>>>>      > Scanned files: 1
>>>>>      > Infected files: 1
>>>>>      > Data scanned: 0.00 MB
>>>>>      > Data read: 0.00 MB (ratio 0.00:1)
>>>>>      > Time: 9.614 sec (0 m 9 s)
>>>>>      > Start Date: 2022:07:15 16:31:17
>>>>>      > End Date:   2022:07:15 16:31:26
>>>>>      >
>>>>>      > --Maarten
>>>>>      >
>>>>>      > On Fri, Jul 15, 2022 at 4:02 PM joe a
>>>>> <joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>
>>>>>     <mailto:joea-lists@j4computers.com
>>>>> <mailto:joea-lists@j4computers.com>>
>>>>>      > <mailto:joea-lists@j4computers.com
>>>>> <mailto:joea-lists@j4computers.com>
>>>>>     <mailto:joea-lists@j4computers.com
>>>>> <mailto:joea-lists@j4computers.com>>>> wrote:
>>>>>      >
>>>>>      >     Clamav is finding this:
>>>>>      >
>>>>>      >     "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in
>>>>> emails
>>>>>     from a
>>>>>      >     source I trust (well, it is a professional organization
>>>>> anyway).
>>>>>      >
>>>>>      >     Is there any way to tell clamav not to run the check for
>>>>> this
>>>>>      >     particular
>>>>>      >     client and this particular "trojan"? Just not check for
>>>>> it at
>>>>>     all?
>>>>>      >
>>>>>      >     Or should I submit it as a "False positive" and hope it
>>>>> goes
>>>>>     away?
>>>>>      >
>>>>>      >
>>>>>      >     _______________________________________________
>>>>>      >
>>>>>      >     clamav-users mailing list
>>>>>      > clamav-users@lists.clamav.net
>>>>> <mailto:clamav-users@lists.clamav.net>
>>>>>     <mailto:clamav-users@lists.clamav.net
>>>>> <mailto:clamav-users@lists.clamav.net>>
>>>>>     <mailto:clamav-users@lists.clamav.net
>>>>> <mailto:clamav-users@lists.clamav.net>
>>>>>     <mailto:clamav-users@lists.clamav.net
>>>>> <mailto:clamav-users@lists.clamav.net>>>
>>>>>      > https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>>      >     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>>
>>>>>      >
>>>>>      >
>>>>>      >     Help us build a comprehensive ClamAV guide:
>>>>>      > https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>>     <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>>      >     <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>>     <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>>
>>>>>      >
>>>>>      > https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>>     <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>>      >     <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>>     <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>>
>>>>>      >
>>>>>      >
>>>>>      > _______________________________________________
>>>>>      >
>>>>>      > clamav-users mailing list
>>>>>      > clamav-users@lists.clamav.net
>>>>> <mailto:clamav-users@lists.clamav.net>
>>>>> <mailto:clamav-users@lists.clamav.net
>>>>> <mailto:clamav-users@lists.clamav.net>>
>>>>>      > https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>>      >
>>>>>      >
>>>>>      > Help us build a comprehensive ClamAV guide:
>>>>>      > https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>>     <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>>      >
>>>>>      > https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>>     <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>>     _______________________________________________
>>>>>
>>>>>     clamav-users mailing list
>>>>> clamav-users@lists.clamav.net
>>>>> <mailto:clamav-users@lists.clamav.net>
>>>>> <mailto:clamav-users@lists.clamav.net
>>>>> <mailto:clamav-users@lists.clamav.net>>
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>>     <https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>>
>>>>>
>>>>>     Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>
>>>>>     <https://github.com/Cisco-Talos/clamav-documentation
>>>>> <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>>
>>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>>     <https://docs.clamav.net/#mailing-lists-and-chat
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> clamav-users mailing list
>>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>>
>>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>> _______________________________________________
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>
>>
>> Powered by
>> *Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>*-
>> still your inbox, but smarter.
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA detected. False Positive? [ In reply to ]
I see you figured it out, but just to close this out...

As long as there is another entry on the next line, the a CR is OK. In your case ClamAV was looking for a second entry and not finding one it assumed malformation.

Sent from my iPad

-Al-
--
ClamXAV User

On Jul 16, 2022, at 12:32, joe a <joea-lists@j4computers.com> wrote:
> ?Does that include CR at the end of a line? Docs suggest multiple ignores in one file, each on it's own line. Did I misread? (not the first time)
>
> joe a
>
>> On 7/16/2022 12:18 AM, Al Varnell via clamav-users wrote:
>> Yes, just make sure you don't have embedded spaces, carriage returns or other invisible characters.
>> -Al-
>> --
>> ClamXAV User
>>>> On Jul 15, 2022, at 8:43 PM, joe a <joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>> wrote:
>>>
>>> That error was corrected, but now the error is "Malformed Database".
>>>
>>> Is it not a simple text string on a single line?
>>>
>>> joe a.
>>>
>>> On 7/15/2022 6:29 PM, joe a wrote:
>>>> My ignorance shows. Created file "/my_install_path/ignore_list.ign2" and get this error:
>>>> "LibClamAV Error: cli_loadign: No signature name provided"
>>>> Is the signature name not "PUA.Win.Trojan.Xored-1"
>>>> joe a.
>>>> On 7/15/2022 4:59 PM, Maarten Broekman via clamav-users wrote:
>>>>> To turn it off entirely, you would create a file ending in .ign2 and put the signature name in that file.
>>>>>
>>>>> I'm not sure there is a good way to do it only for that particular sender, unless you have a way to send those messages to a differently configured ClamAV setup. I don't do a lot of email scanning, so I'm not sure what the limitations are there.
>>>>>
>>>>> --Maarten
>>>>>
>>>>> On Fri, Jul 15, 2022 at 4:41 PM joe a <joea-lists@j4computers.com <mailto:joea-lists@j4computers.com> <mailto:joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>>> wrote:
>>>>>
>>>>> Thank you. I believe I understand.
>>>>>
>>>>> I was actually looking for a way to turn off checking for this
>>>>> particular "PUA", hopefully just for this sender, while keeping PUA
>>>>> checks still enabled for other cases.
>>>>>
>>>>> In the past I've not had great success searching entirely on my own.
>>>>>
>>>>> joe a.
>>>>>
>>>>> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
>>>>> > A "PUA" is a "potentially unwanted application", not necessarily
>>>>> > malicious. You can disable PUA checks by ensuring that your clamd
>>>>> > configuration has "DetectPUA" set to no.
>>>>> >
>>>>> > For reference, the signature is looking for bitwise math on
>>>>> CharCodeAt()
>>>>> > operations in HTML files.
>>>>> >
>>>>> > VIRUS NAME: PUA.Win.Trojan.Xored-1
>>>>> > TARGET TYPE: HTML
>>>>> > OFFSET: *
>>>>> > DECODED SIGNATURE:
>>>>> > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
>>>>> >
>>>>> >
>>>>> > I created a bogus test file that matches the signature and, with
>>>>> default
>>>>> > configuration settings, it is not detected. But when I force PUA
>>>>> > detection to be on, it is detected.
>>>>> >
>>>>> > lothlorien:~$ clamscan test.html
>>>>> > Loading: 6s, ETA: 0s [========================>] 8.62M/8.62M sigs
>>>>> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
>>>>> >
>>>>> > ~/test.html: OK
>>>>> >
>>>>> > ----------- SCAN SUMMARY -----------
>>>>> > Known viruses: 8622174
>>>>> > Engine version: 0.105.0
>>>>> > Scanned directories: 0
>>>>> > Scanned files: 1
>>>>> > Infected files: 0
>>>>> > Data scanned: 0.00 MB
>>>>> > Data read: 0.00 MB (ratio 0.00:1)
>>>>> > Time: 9.865 sec (0 m 9 s)
>>>>> > Start Date: 2022:07:15 16:31:01
>>>>> > End Date: 2022:07:15 16:31:11
>>>>> >
>>>>> > lothlorien:~$ clamscan --detect-pua=yes test.html
>>>>> > Loading: 6s, ETA: 0s [========================>] 8.64M/8.64M sigs
>>>>> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
>>>>> >
>>>>> > ~/test.html: PUA.Win.Trojan.Xored-1 FOUND
>>>>> >
>>>>> > ----------- SCAN SUMMARY -----------
>>>>> > Known viruses: 8637594
>>>>> > Engine version: 0.105.0
>>>>> > Scanned directories: 0
>>>>> > Scanned files: 1
>>>>> > Infected files: 1
>>>>> > Data scanned: 0.00 MB
>>>>> > Data read: 0.00 MB (ratio 0.00:1)
>>>>> > Time: 9.614 sec (0 m 9 s)
>>>>> > Start Date: 2022:07:15 16:31:17
>>>>> > End Date: 2022:07:15 16:31:26
>>>>> >
>>>>> > --Maarten
>>>>> >
>>>>> > On Fri, Jul 15, 2022 at 4:02 PM joe a <joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>
>>>>> <mailto:joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>>
>>>>> > <mailto:joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>
>>>>> <mailto:joea-lists@j4computers.com <mailto:joea-lists@j4computers.com>>>> wrote:
>>>>> >
>>>>> > Clamav is finding this:
>>>>> >
>>>>> > "X-Virus-Status: Infected (PUA.Win.Trojan.Xored-1)" in emails
>>>>> from a
>>>>> > source I trust (well, it is a professional organization anyway).
>>>>> >
>>>>> > Is there any way to tell clamav not to run the check for this
>>>>> > particular
>>>>> > client and this particular "trojan"? Just not check for it at
>>>>> all?
>>>>> >
>>>>> > Or should I submit it as a "False positive" and hope it goes
>>>>> away?
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> >
>>>>> > clamav-users mailing list
>>>>> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>>> <mailto:clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
>>>>> <mailto:clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>>> <mailto:clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>>
>>>>> > https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>> > <https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>>>
>>>>> >
>>>>> >
>>>>> > Help us build a comprehensive ClamAV guide:
>>>>> > https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>
>>>>> <https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>> > <https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>
>>>>> <https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>>>
>>>>> >
>>>>> > https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>> > <https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>>>
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> >
>>>>> > clamav-users mailing list
>>>>> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> <mailto:clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
>>>>> > https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>> >
>>>>> >
>>>>> > Help us build a comprehensive ClamAV guide:
>>>>> > https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>
>>>>> <https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>> >
>>>>> > https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>> _______________________________________________
>>>>>
>>>>> clamav-users mailing list
>>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> <mailto:clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>>>> <https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>>
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>
>>>>> <https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>>
>>>>>
>>>>> https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>
>>>>> <https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> clamav-users mailing list
>>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>>
>>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>> _______________________________________________
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>> Powered by *Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>*- still your inbox, but smarter.
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>> https://docs.clamav.net/#mailing-lists-and-chat
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat