ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
ClamWin Free Antivirus Forum Index » Virus Scanner
Reply to topic
Reporting FP of PUA .lnk?
danq


Joined: 02 Jan 2011
Posts: 0
Post Posted: Fri Feb 24, 2012 8:59 pm Reply with quote
Hi,

I found a false positive associated with Strawberry Perl (one of the two Win32 binaries listed on perl.org, site is https://www.strawberryperl.com/)

The Start Menu shortcut to cmd.exe is incorrectly reported as a PUA.Pif.Downloader.Gen.

Removing the phrase "Quick way to" from the shortcut's comment "Quick way to get to the command line in order to use Perl." makes the file pass Clamwin.

However, this is a .lnk file, which cannot be reported on the site (or on VirusTotal), as selecting it puts cmd.exe in the Upload box.
I'd probably be able to upload the .lnk file via my Linux partition. However, the form automatically rejects PUAs.

Does anyone here know how to get in touch with the right people about this, without an automated rejection that would otherwise happen?

Thank you!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Post Posted: Fri Feb 24, 2012 10:18 pm Reply with quote
Don't worry about reporting PUA false positives. Potentilally Unwanted Application detection is an optional detection selected by the user to warn him/her about a file that could be a malware tool (packer, remote administration tool, etc.) or a file that has been created by such a tool (packer, keylogger, etc.). The user selects to use the PUA detection, and the user can de-select it. Additionally, the user can exclude categories from PUA detection (--exclude-pua=pua.Pif.Downloader.Gen). Since PUA detection is up to the user, Clam does not adjust PUA false positives.

PUAs don't mean as much as they used to anyway. Lots of "good" software uses the same tools as malware now. If PUA detection is activated, you can get lots of benign scripts and other detections from the web.

Regards,
View user's profileSend private message
danq


Joined: 02 Jan 2011
Posts: 0
Post Posted: Sat Feb 25, 2012 12:47 am Reply with quote
I just recently started adding PUAs to the scan parameters, as well as the unofficial sigs via Clamsup.

I know that it's more of a guide (e.g. packed installers, PDFs with Javascript), but the phrase "Pif.Downloader" doesn't sound like something one would call a PUA.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Post Posted: Sat Feb 25, 2012 1:43 am Reply with quote
Well, I suppose a PIF could either be "good" or malicious. Both good and bad files can download. All the PUA does is bring it to the attention of the user who has enabled PUA detection. If the user is aware of the file, that is okay. If he was not aware of it, then the PUA detection has brought it to his/her attention.

Most users should just leave PUA detection disabled, which is the ClamWin default. I think it generally causes more problems than it should. That's probably why it doesn't seem to be used in some AVs now--it's probably been replaced by more specific heuristics.

Regards,
View user's profileSend private message
Reporting FP of PUA .lnk?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
ClamWin Free Antivirus Forum Index » Virus Scanner
 Reply to topic