Using DetectPUA yes in clamd.conf
housey at sme-ecom.co.uk
housey at sme-ecom.co.uk
Tue Oct 22 14:06:25 IST 2013
Hi
I use MailScanner with clamd
Ive had a few instances recently (2 today) where some emails with
infected msword attachments got through to some end users.
Sophos running on the users desktops detected Exp/20120158-A in the
attachments.
I got hold of the attachments and ran through clamdscan which didn't
detect any viruses
[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK
I then enabled "DetectPUA yes" in clamd.conf and now it detects a
possible virus
[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND
I found this on the clamav web site - its quite an old article and does
say not to use in production environments.
http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/
Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to
the directive "Virus Names Which Are Spam" in
/etc/MailScanner/MailScanner.conf - so its treated as spam rather than
a virus (so its quarantined as I delete viruses).
Has anyone any experience of using DetectPUA?
Thanks
Paul
More information about the MailScanner
mailing list