Using DetectPUA yes in clamd.conf

housey at housey at
Tue Oct 22 14:06:25 IST 2013


I use MailScanner with clamd

Ive had a few instances recently (2 today) where some emails with 
infected msword attachments got through to some end users.

Sophos running on the users desktops detected Exp/20120158-A in the 

I got hold of the attachments and ran through clamdscan which didn't 
detect any viruses

[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK

I then enabled "DetectPUA yes" in clamd.conf and now it detects a 
possible virus

[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND

I found this on the clamav web site - its quite an old article and does 
say not to use in production environments.

Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to 
the directive "Virus Names Which Are Spam" in 
/etc/MailScanner/MailScanner.conf -  so its treated as spam rather than 
a virus (so its quarantined as I delete viruses).

Has anyone any experience of using DetectPUA?



More information about the MailScanner mailing list