<div dir="ltr"><div><div><div>had the same question to the clamav list about a month ago, and also about what the heck the different settings you can use are.<br><br></div>basically safe to use, but the documentation is sorely lacking as to what PUA types you might want to scan for.....eg dailies show..<br>
<br></div><br>
<span class="">PUA</span>.Crypt.ScriptCryptor<br>
<span class="">PUA</span>.CVE_2007_0214<br>
<span class="">PUA</span>.CVE_2007_0325<br>
<span class="">PUA</span>.CVE_2007_1498<br>
<span class="">PUA</span>.CVE_2011_3397<br>
<span class="">PUA</span>.CVE_2012_1419<br>
<span class="">PUA</span>.CVE_2012_1421<br>
<span class="">PUA</span>.CVE_2012_1423<br>
<span class="">PUA</span>.CVE_2012_1430<br>
<span class="">PUA</span>.CVE_2012_1431<br>
<span class="">PUA</span>.EmbeddedJSinOCXinWordDoc<br>
<span class="">PUA</span>.Everyzone<br>
<span class="">PUA</span>.Exploit.HeapSpray<br>
<span class="">PUA</span>.EXPLOIT_CVE_2006_4701<br>
<span class="">PUA</span>.Game<br>
<span class="">PUA</span>.HTML<br>
<span class="">PUA</span>.IRC<br>
<span class="">PUA</span>.JS<br>
<span class="">PUA</span>.Keylogger-1<br>
<span class="">PUA</span>.Keylogger-2<br>
<span class="">PUA</span>.Keylogger-3<br>
<span class="">PUA</span>.Keylogger-4<br>
<span class="">PUA</span>.Liveplayer<br>
<span class="">PUA</span>.Liveplayer-1<br>
<span class="">PUA</span>.Liveplayer-2<br>
<span class="">PUA</span>.Mydoomer<br>
<span class="">PUA</span>.NetTool<br>
<span class="">PUA</span>.OLE.EmbeddedPDF<br>
<span class="">PUA</span>.Packed<br>
<span class="">PUA</span>.PDF<br>
<span class="">PUA</span>.PwTool<br>
<span class="">PUA</span>.RAT<br>
<span class="">PUA</span>.Reboot<br>
<span class="">PUA</span>.RelevantKnowledge<br>
<span class="">PUA</span>.RelevantKnowledge-1<br>
<span class="">PUA</span>.RFT.EmbeddedOLE<br>
<span class="">PUA</span>.Script<br>
<span class="">PUA</span>.Server.PsyBNC<br>
<span class="">PUA</span>.Spy<br>
<span class="">PUA</span>.Tool<br>
<span class="">PUA</span>.Trojan.PHP<br>
<span class="">PUA</span>.USBCillin<br>
<span class="">PUA</span>.VmAvoid<br>
<span class="">PUA</span>.Win32.Packer.22bAn<br><br></div>some are obviusly named but 'reboot'?????<br><div><br></div></div><div class="gmail_extra"><br clear="all"><div>-- <br>Martin Hepworth, CISSP<br>Oxford, UK</div>
<br><br><div class="gmail_quote">On 22 October 2013 14:06, <span dir="ltr"><<a href="mailto:housey@sme-ecom.co.uk" target="_blank">housey@sme-ecom.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi<br>
<br>
I use MailScanner with clamd<br>
<br>
Ive had a few instances recently (2 today) where some emails with<br>
infected msword attachments got through to some end users.<br>
<br>
Sophos running on the users desktops detected Exp/20120158-A in the<br>
attachments.<br>
<br>
I got hold of the attachments and ran through clamdscan which didn't<br>
detect any viruses<br>
<br>
[root@servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc<br>
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK<br>
<br>
I then enabled "DetectPUA yes" in clamd.conf and now it detects a<br>
possible virus<br>
<br>
[root@servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc<br>
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND<br>
<br>
I found this on the clamav web site - its quite an old article and does<br>
say not to use in production environments.<br>
<br>
<a href="http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/" target="_blank">http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/</a><br>
<br>
Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to<br>
the directive "Virus Names Which Are Spam" in<br>
/etc/MailScanner/MailScanner.conf - so its treated as spam rather than<br>
a virus (so its quarantined as I delete viruses).<br>
<br>
Has anyone any experience of using DetectPUA?<br>
<br>
Thanks<br>
<br>
Paul<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
</font></span></blockquote></div><br></div>