Hi Martin,

This is quite interesting to me. I've previously added PUA support but it's always been too aggressive.

Are the below all the rules that PUA uses, or are these recommended ones to include?


Thanks,
Rich


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: 22 October 2013 15:31
To: MailScanner discussion
Subject: Re: Using DetectPUA yes in clamd.conf

had the same question to the clamav list about a month ago, and also about what the heck the different settings you can use are.
basically safe to use, but the documentation is sorely lacking as to what PUA types you might want to scan for.....eg dailies show..

PUA.Crypt.ScriptCryptor
PUA.CVE_2007_0214
PUA.CVE_2007_0325
PUA.CVE_2007_1498
PUA.CVE_2011_3397
PUA.CVE_2012_1419
PUA.CVE_2012_1421
PUA.CVE_2012_1423
PUA.CVE_2012_1430
PUA.CVE_2012_1431
PUA.EmbeddedJSinOCXinWordDoc
PUA.Everyzone
PUA.Exploit.HeapSpray
PUA.EXPLOIT_CVE_2006_4701
PUA.Game
PUA.HTML
PUA.IRC
PUA.JS
PUA.Keylogger-1
PUA.Keylogger-2
PUA.Keylogger-3
PUA.Keylogger-4
PUA.Liveplayer
PUA.Liveplayer-1
PUA.Liveplayer-2
PUA.Mydoomer
PUA.NetTool
PUA.OLE.EmbeddedPDF
PUA.Packed
PUA.PDF
PUA.PwTool
PUA.RAT
PUA.Reboot
PUA.RelevantKnowledge
PUA.RelevantKnowledge-1
PUA.RFT.EmbeddedOLE
PUA.Script
PUA.Server.PsyBNC
PUA.Spy
PUA.Tool
PUA.Trojan.PHP
PUA.USBCillin
PUA.VmAvoid
PUA.Win32.Packer.22bAn
some are obviusly named but 'reboot'?????


--
Martin Hepworth, CISSP
Oxford, UK

On 22 October 2013 14:06, <housey at sme-ecom.co.uk<mailto:housey at sme-ecom.co.uk>> wrote:
Hi

I use MailScanner with clamd

Ive had a few instances recently (2 today) where some emails with
infected msword attachments got through to some end users.

Sophos running on the users desktops detected Exp/20120158-A in the
attachments.

I got hold of the attachments and ran through clamdscan which didn't
detect any viruses

[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK

I then enabled "DetectPUA yes" in clamd.conf and now it detects a
possible virus

[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND

I found this on the clamav web site - its quite an old article and does
say not to use in production environments.

http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/

Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to
the directive "Virus Names Which Are Spam" in
/etc/MailScanner/MailScanner.conf - so its treated as spam rather than
a virus (so its quarantined as I delete viruses).

Has anyone any experience of using DetectPUA?

Thanks

Paul





--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131024/2a6b8019/attachment.html