Using DetectPUA yes in clamd.conf

Martin Hepworth maxsec at gmail.com
Thu Oct 24 14:54:31 IST 2013


Those were all the test names from a couple of weeks ago. No explanation of
what the tests look for just the names..

I'd like to tweek mine up a bit and use the PUA's but without adequate
doc/info it's hard to decide just want I to test against.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 24 October 2013 11:59, Richard Mealing <richard at fastnet.co.uk> wrote:

> Hi Martin,****
>
> ** **
>
> This is quite interesting to me. I’ve previously added PUA support but
> it’s always been too aggressive. ****
>
> ** **
>
> Are the below all the rules that PUA uses, or are these recommended ones
> to include? ****
>
> ** **
>
> ** **
>
> Thanks,****
>
> Rich****
>
> ** **
>
> ** **
>
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth
> *Sent:* 22 October 2013 15:31
> *To:* MailScanner discussion
> *Subject:* Re: Using DetectPUA yes in clamd.conf****
>
> ** **
>
> had the same question to the clamav list about a month ago, and also about
> what the heck the different settings you can use are.****
>
> basically safe to use, but the documentation is sorely lacking as to what
> PUA types you might want to scan for.....eg dailies show..****
>
>
> PUA.Crypt.ScriptCryptor
> PUA.CVE_2007_0214
> PUA.CVE_2007_0325
> PUA.CVE_2007_1498
> PUA.CVE_2011_3397
> PUA.CVE_2012_1419
> PUA.CVE_2012_1421
> PUA.CVE_2012_1423
> PUA.CVE_2012_1430
> PUA.CVE_2012_1431
> PUA.EmbeddedJSinOCXinWordDoc
> PUA.Everyzone
> PUA.Exploit.HeapSpray
> PUA.EXPLOIT_CVE_2006_4701
> PUA.Game
> PUA.HTML
> PUA.IRC
> PUA.JS
> PUA.Keylogger-1
> PUA.Keylogger-2
> PUA.Keylogger-3
> PUA.Keylogger-4
> PUA.Liveplayer
> PUA.Liveplayer-1
> PUA.Liveplayer-2
> PUA.Mydoomer
> PUA.NetTool
> PUA.OLE.EmbeddedPDF
> PUA.Packed
> PUA.PDF
> PUA.PwTool
> PUA.RAT
> PUA.Reboot
> PUA.RelevantKnowledge
> PUA.RelevantKnowledge-1
> PUA.RFT.EmbeddedOLE
> PUA.Script
> PUA.Server.PsyBNC
> PUA.Spy
> PUA.Tool
> PUA.Trojan.PHP
> PUA.USBCillin
> PUA.VmAvoid
> PUA.Win32.Packer.22bAn****
>
> some are obviusly named but 'reboot'?????****
>
> ** **
>
>
> ****
>
> --
> Martin Hepworth, CISSP
> Oxford, UK****
>
> ** **
>
> On 22 October 2013 14:06, <housey at sme-ecom.co.uk> wrote:****
>
> Hi
>
> I use MailScanner with clamd
>
> Ive had a few instances recently (2 today) where some emails with
> infected msword attachments got through to some end users.
>
> Sophos running on the users desktops detected Exp/20120158-A in the
> attachments.
>
> I got hold of the attachments and ran through clamdscan which didn't
> detect any viruses
>
> [root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
> /tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK
>
> I then enabled "DetectPUA yes" in clamd.conf and now it detects a
> possible virus
>
> [root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
> /tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND
>
> I found this on the clamav web site - its quite an old article and does
> say not to use in production environments.
>
>
> http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/
>
> Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to
> the directive "Virus Names Which Are Spam" in
> /etc/MailScanner/MailScanner.conf -  so its treated as spam rather than
> a virus (so its quarantined as I delete viruses).
>
> Has anyone any experience of using DetectPUA?
>
> Thanks
>
> Paul
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!****
>
> ** **
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131024/7909c545/attachment.html 


More information about the MailScanner mailing list