Discussion:
[clamav-users] False positive on go source code using PUA
(too old to reply)
P K
2015-11-04 06:03:33 UTC
Permalink
Hi,

I tried clamdscan with PUA enabled on go source code and seen an error.

Below are error:

clamdscan -v go1.4.2.src.tar.gz
/home/punit/go1.4.2.src.tar.gz: PUA.File.Exploit.CVE_2012_1461 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.507 sec (0 m 0 s)


Is it really infected file? Any way to avoid it?

Thanks
--PK
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2015-11-04 09:25:05 UTC
Permalink
By definition, there is no such thing as a False Positive PUA nor is PUA considered to be infected.
<http://www.clamav.net/documents/potentially-unwanted-applications-pua>.

Based on the description of CVE-2012-1461
<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1461> I’d guess it has something to do with the way that file was compressed that might allow it to be bypass malware detection by a number of A-V scanners, which simply makes it suspicious.

I don’t see any errors here.

-Al-
Post by P K
Hi,
I tried clamdscan with PUA enabled on go source code and seen an error.
clamdscan -v go1.4.2.src.tar.gz
/home/punit/go1.4.2.src.tar.gz: PUA.File.Exploit.CVE_2012_1461 FOUND
Steve Basford
2015-11-04 10:19:46 UTC
Permalink
Post by P K
Hi,
I tried clamdscan with PUA enabled on go source code and seen an error.
issue6550.gz: PUA.File.Exploit.CVE_2012_1461

https://www.virustotal.com/en/file/c809983cf1b4f11552a1880272e3002a963a39c453b4883bf47e5c2cfc8f2a47/analysis/1446632226/

7z reports the file as corrupt?


Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
P K
2015-11-04 11:45:15 UTC
Permalink
ok thank you.
Post by Al Varnell
By definition, there is no such thing as a False Positive PUA nor is PUA
considered to be infected.
<http://www.clamav.net/documents/potentially-unwanted-applications-pua>.
Based on the description of CVE-2012-1461
<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1461> I’d
guess it has something to do with the way that file was compressed that
might allow it to be bypass malware detection by a number of A-V scanners,
which simply makes it suspicious.
I don’t see any errors here.
-Al-
Post by P K
Hi,
I tried clamdscan with PUA enabled on go source code and seen an error.
clamdscan -v go1.4.2.src.tar.gz
/home/punit/go1.4.2.src.tar.gz: PUA.File.Exploit.CVE_2012_1461 FOUND
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/

Loading...