<div dir="ltr"><div>Those were all the test names from a couple of weeks ago. No explanation of what the tests look for just the names..<br><br></div>I'd like to tweek mine up a bit and use the PUA's but without adequate doc/info it's hard to decide just want I to test against.<br>
</div><div class="gmail_extra"><br clear="all"><div>-- <br>Martin Hepworth, CISSP<br>Oxford, UK</div>
<br><br><div class="gmail_quote">On 24 October 2013 11:59, Richard Mealing <span dir="ltr"><<a href="mailto:richard@fastnet.co.uk" target="_blank">richard@fastnet.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-GB"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi Martin,<u></u><u></u></span></p><p class="MsoNormal">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This is quite interesting to me. I’ve previously added PUA support but it’s always been too aggressive. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Are the below all the rules that PUA uses, or are these recommended ones to include? <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Rich<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" lang="EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" lang="EN-US"> <a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a> [mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>] <b>On Behalf Of </b>Martin Hepworth<br>
<b>Sent:</b> 22 October 2013 15:31<br><b>To:</b> MailScanner discussion<br><b>Subject:</b> Re: Using DetectPUA yes in clamd.conf<u></u><u></u></span></p><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><div>
<div><div><p class="MsoNormal" style="margin-bottom:12.0pt">had the same question to the clamav list about a month ago, and also about what the heck the different settings you can use are.<u></u><u></u></p></div><p class="MsoNormal" style="margin-bottom:12.0pt">
basically safe to use, but the documentation is sorely lacking as to what PUA types you might want to scan for.....eg dailies show..<u></u><u></u></p></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>PUA.Crypt.ScriptCryptor<br>
PUA.CVE_2007_0214<br>PUA.CVE_2007_0325<br>PUA.CVE_2007_1498<br>PUA.CVE_2011_3397<br>PUA.CVE_2012_1419<br>PUA.CVE_2012_1421<br>PUA.CVE_2012_1423<br>PUA.CVE_2012_1430<br>PUA.CVE_2012_1431<br>PUA.EmbeddedJSinOCXinWordDoc<br>
PUA.Everyzone<br>PUA.Exploit.HeapSpray<br>PUA.EXPLOIT_CVE_2006_4701<br>PUA.Game<br>PUA.HTML<br>PUA.IRC<br>PUA.JS<br>PUA.Keylogger-1<br>PUA.Keylogger-2<br>PUA.Keylogger-3<br>PUA.Keylogger-4<br>PUA.Liveplayer<br>PUA.Liveplayer-1<br>
PUA.Liveplayer-2<br>PUA.Mydoomer<br>PUA.NetTool<br>PUA.OLE.EmbeddedPDF<br>PUA.Packed<br>PUA.PDF<br>PUA.PwTool<br>PUA.RAT<br>PUA.Reboot<br>PUA.RelevantKnowledge<br>PUA.RelevantKnowledge-1<br>PUA.RFT.EmbeddedOLE<br>PUA.Script<br>
PUA.Server.PsyBNC<br>PUA.Spy<br>PUA.Tool<br>PUA.Trojan.PHP<br>PUA.USBCillin<br>PUA.VmAvoid<br>PUA.Win32.Packer.22bAn<u></u><u></u></p></div><p class="MsoNormal">some are obviusly named but 'reboot'?????<u></u><u></u></p>
<div><p class="MsoNormal"><u></u> <u></u></p></div></div><div><p class="MsoNormal"><br clear="all"><u></u><u></u></p><div><p class="MsoNormal">-- <br>Martin Hepworth, CISSP<br>Oxford, UK<u></u><u></u></p></div><p class="MsoNormal" style="margin-bottom:12.0pt">
<u></u> <u></u></p><div><p class="MsoNormal">On 22 October 2013 14:06, <<a href="mailto:housey@sme-ecom.co.uk" target="_blank">housey@sme-ecom.co.uk</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Hi<br><br>I use MailScanner with clamd<br><br>Ive had a few instances recently (2 today) where some emails with<br>infected msword attachments got through to some end users.<br><br>Sophos running on the users desktops detected Exp/20120158-A in the<br>
attachments.<br><br>I got hold of the attachments and ran through clamdscan which didn't<br>detect any viruses<br><br>[root@servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc<br>/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK<br>
<br>I then enabled "DetectPUA yes" in clamd.conf and now it detects a<br>possible virus<br><br>[root@servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc<br>/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND<br>
<br>I found this on the clamav web site - its quite an old article and does<br>say not to use in production environments.<br><br><a href="http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/" target="_blank">http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/</a><br>
<br>Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to<br>the directive "Virus Names Which Are Spam" in<br>/etc/MailScanner/MailScanner.conf - so its treated as spam rather than<br>a virus (so its quarantined as I delete viruses).<br>
<br>Has anyone any experience of using DetectPUA?<br><br>Thanks<br><br>Paul<br><span style="color:#888888"><br><br><br><br><br><span>--</span><br><span>MailScanner mailing list</span><br><span><a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a></span><br>
<span><a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a></span><br><br><span>Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a></span><br>
<br><span>Support MailScanner development - buy the book off the website!</span></span><u></u><u></u></p></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></div><br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br></div>