How to evaluate clamscan results?

Question

I'm running

clamscan -r --infected --heuristic-scan-precedence=yes --detect-pua=yes --detect-structured=no

and am getting some results like PUA.Html.Trojan.Agent-37075 FOUND. Now, I don't find any instructions

in the PUA FAQ nor in the ClamAV Virus Database FAQ
on the wikipedia article

how to evaluate this result, i.e. which workflow has to be processed. Is every result to be removed immediately? Where are documentations of the results? Are there different documentations for different result types?

I'm using clamav 0.99+dfsg-1ubuntu1 on Ubuntu 16.04.

score 7 · Accepted Answer · edited Mar 04 '23 at 11:14

7

"PUA" means "Potential Unwanted Application"
"Html" means a webpage

And it ends there. You should have far more notices otherwise this is a false positive. This (dutch) shows:

PUA.Win.Tool.Packed-177         
PUA.Html.Trojan.Agent-37075     
PUA.Win.Trojan.Xored-1

... pointing to Windows. What else do you see with that line containing 37075?

Example of a clear malware problem in the browser ...

PUA.Phishing.Bank Found

That shows a site that is considered a phishing.

Besides ClamAV/ClamTk, you can use firefox with noscript, ad aware and flashblock and scan non-confidential files downloaded with virustotal.com

edited Mar 04 '23 at 11:14

Roel Van de Paar

713

answered Jun 29 '16 at 10:42

Rinzwind

299,756

Is there a way I could figure this out myself for new results I get? How do you figure this out? If there's no documentation of results I'd have to ask a question on askubuntu for every result I get. That can't be the intention of the author(s) of the software - regardless of the fact that it doesn't work well. – Kalle Richter Jun 29 '16 at 11:08
There should be more lines that just that 1 you used in the question. The one above it should be related (and maybe the one under it) – Rinzwind Jun 29 '16 at 11:20

How to evaluate clamscan results?

1 Answers1

Linked

Related