Using DetectPUA yes in clamd.conf
Martin Hepworth
maxsec at gmail.com
Tue Oct 22 15:31:00 IST 2013
had the same question to the clamav list about a month ago, and also about
what the heck the different settings you can use are.
basically safe to use, but the documentation is sorely lacking as to what
PUA types you might want to scan for.....eg dailies show..
PUA.Crypt.ScriptCryptor
PUA.CVE_2007_0214
PUA.CVE_2007_0325
PUA.CVE_2007_1498
PUA.CVE_2011_3397
PUA.CVE_2012_1419
PUA.CVE_2012_1421
PUA.CVE_2012_1423
PUA.CVE_2012_1430
PUA.CVE_2012_1431
PUA.EmbeddedJSinOCXinWordDoc
PUA.Everyzone
PUA.Exploit.HeapSpray
PUA.EXPLOIT_CVE_2006_4701
PUA.Game
PUA.HTML
PUA.IRC
PUA.JS
PUA.Keylogger-1
PUA.Keylogger-2
PUA.Keylogger-3
PUA.Keylogger-4
PUA.Liveplayer
PUA.Liveplayer-1
PUA.Liveplayer-2
PUA.Mydoomer
PUA.NetTool
PUA.OLE.EmbeddedPDF
PUA.Packed
PUA.PDF
PUA.PwTool
PUA.RAT
PUA.Reboot
PUA.RelevantKnowledge
PUA.RelevantKnowledge-1
PUA.RFT.EmbeddedOLE
PUA.Script
PUA.Server.PsyBNC
PUA.Spy
PUA.Tool
PUA.Trojan.PHP
PUA.USBCillin
PUA.VmAvoid
PUA.Win32.Packer.22bAn
some are obviusly named but 'reboot'?????
--
Martin Hepworth, CISSP
Oxford, UK
On 22 October 2013 14:06, <housey at sme-ecom.co.uk> wrote:
> Hi
>
> I use MailScanner with clamd
>
> Ive had a few instances recently (2 today) where some emails with
> infected msword attachments got through to some end users.
>
> Sophos running on the users desktops detected Exp/20120158-A in the
> attachments.
>
> I got hold of the attachments and ran through clamdscan which didn't
> detect any viruses
>
> [root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
> /tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK
>
> I then enabled "DetectPUA yes" in clamd.conf and now it detects a
> possible virus
>
> [root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
> /tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND
>
> I found this on the clamav web site - its quite an old article and does
> say not to use in production environments.
>
>
> http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/
>
> Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to
> the directive "Virus Names Which Are Spam" in
> /etc/MailScanner/MailScanner.conf - so its treated as spam rather than
> a virus (so its quarantined as I delete viruses).
>
> Has anyone any experience of using DetectPUA?
>
> Thanks
>
> Paul
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131022/bae9c53d/attachment.html
More information about the MailScanner
mailing list