False positive? PUA.Script.Packed-1

View: New views

2 Messages — Rating Filter: Alert me

False positive? PUA.Script.Packed-1

by Tony Finch :: Rate this Message:

| View Threaded | Show Only this Message

It seems that PUA.Script.Packed-1 matches some code in jQuery
http://jquery.com/

This caused problems for one of my users who tried to email a copy of a
web page as a .mht attachment, which happened to include a copy of jQuery.
http://www.independent.co.uk/news/obituaries/professor-brian-cox-english-scholar-poet-and-editor-of-critical-quarterly-whose-black-papers-sparked-debate-on-education-817250.html

I've advised the user to email links instead of whole pages, but I'm
wondering why jQuery is classed as a PUA - is this deliberate or is
it a false positive?

Tony.
--
f.anthony.n.finch <dot@...> http://dotat.at/
DOVER WIGHT PORTLAND PLYMOUTH: SOUTH 4 AT FIRST IN DOVER AND WIGHT, OTHERWISE
WEST 3 OR 4, INCREASING 5 AT TIMES. SLIGHT OR MODERATE. OCCASIONAL DRIZZLE.
MODERATE OR GOOD, OCCASIONALLY POOR AT FIRST AND LATER.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: False positive? PUA.Script.Packed-1

by Kelson Vibber :: Rate this Message:

| View Threaded | Show Only this Message

Tony Finch wrote:
> I've advised the user to email links instead of whole pages, but I'm
> wondering why jQuery is classed as a PUA - is this deliberate or is
> it a false positive?

I think "PUA" indicates "Potentially Unwanted (something)" -- basically
code or tools that have legitimate uses, but might also be used to sneak
something unwanted onto a system. There was a thread a few weeks ago
where someone had a whole list of things like VNC clients, port
scanners, etc.

--
Kelson Vibber
SpeedGate Communications <www.speed.net>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml