How to Evaluate Clamscan Results

clamav

I'm running

clamscan -r --infected --heuristic-scan-precedence=yes --detect-pua=yes --detect-structured=no

and am getting some results like PUA.Html.Trojan.Agent-37075 FOUND. Now, I don't find any instructions

in the PUA FAQ nor in the ClamAV Virus Database FAQ
on the wikipedia article

how to evaluate this result, i.e. which workflow has to be processed. Is every result to be removed immediately? Where are documentations of the results? Are there different documentations for different result types?

I'm using clamav 0.99+dfsg-1ubuntu1 on Ubuntu 16.04.

Best Answer

"PUA" means "Potential Unwanted Application"
"Html" means a webpage

And it ends there. You should have far more notices otherwise this is a false positive. This (dutch) shows:

PUA.Win.Tool.Packed-177         
PUA.Html.Trojan.Agent-37075     
PUA.Win.Trojan.Xored-1

... pointing to Windows. What else do you see with that line containing 37075?

Example of a clear malware problem in the browser ...

PUA.Phishing.Bank Found

That shows a site that is considered a phishing.

I would ditch clamav for linux though. 99% are false positives. You are better off using firefox with noscript, ad aware and flashblock.

Related Solutions

ClamAV – How to View Results of Last Clamscan Scan

There is no log file by default - the output goes to stdout.

In order to have a log specify it with the -l option i.e. -l clamav.log

Ubuntu – Clamscan -ri Bash Get Filename

Another solution using awk + readarray;

To process the output of clamscan -ri:

clamscan -ri | awk -F ':' '/FOUND/ {print $1}'

-F ':': sets awk's field separator to :;
/FOUND/: pattern; executes the following action only if the record matches the FOUND string;
{print $1}: prints the first field;

To read the processed output of clamscan -ti into an array $x:

mapfile -t x < <(clamscan -ri | awk -F ':' '/FOUND/ {print $1}')

-t: removes the trailing newline at the end of each line before reading it into the array;
< <(clamscan -ri | awk -F ':' '/FOUND/ {print $1}'): redirects the output of the process substitution <(clamscan -ri | awk -F ':' '/FOUND/ {print $1}') to readarray's stdin

ubuntu@ubuntu:~/tmp$ cat infile
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt: copied to '/folder/infections//HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt'
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt: copied to '/folder/infections//Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt'
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt: copied to '/folder/infections//HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt'
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt: copied to '/folder/infections//HG010_Hyaloglide_product_overview_training_RevC.ppt'
ubuntu@ubuntu:~/tmp$ cat infile | awk -F ':' '/FOUND/ {print $1}'
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt
ubuntu@ubuntu:~/tmp$ mapfile -t x < <(awk -F ':' '/FOUND/ {print $1}' infile)
ubuntu@ubuntu:~/tmp$ echo "${x[@]}"
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt /home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt /home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt /home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt

Best Answer

Related Solutions

ClamAV – How to View Results of Last Clamscan Scan

Ubuntu – Clamscan -ri Bash Get Filename

Related Question