ClamAV may be giving you false positives for PUA.Win.Trojan.Xored. There are multiple instances that have been reported for this, example 1, example 2, example 3 and others. As explained in this thread
The second malware that has been detected is CVE_2012_1461-1. Now that is something you should look at. Not panic or get concerned about, just look at. This was identified in the year 2012 and is related to the gzip parser used in various anti-virus/malware software. Using this vulnerability, attackers might be able to infect machines using .tar.gz files.
For your case the issue happens to be reported inside Firefox cache. So you must have visited sites which may or may not be infected. Purge the browser cache, stop any auto sync that you may or may not have setup and then run the scan again. After that run a periodically scan say every 30-60 minutes of using Firefox to identify if the same scan results show up. You will then be able to narrow down the website which is having the issue. Then you will be able to make a call.
If you have to visit websites which may be compromised, then please do consider using a restricted account and firejail/AppArmour with isolated Firefox. Setup Firefox to clean up browser cache at application close.
Dont worry and dont panic. It may all be a false positive. Emphasis on the word may. Use sensible precautions like Dont use root account, nor use Linux user account which has sudo or su capabilities, harden the linux system and keep system plus software upto date
Disclaimer: Many of the links that you will go through will say discontinue to use ClamAV. Or disable PUA scanning. That is not the correct approach IMHO. Many of us run dual boot systems. Or operate in a network which has multiple OS. Or use our systems as servers. So even if ClamAV is pointing towards a PUA which infects microsoft windows you should not ignore it. It may or may not infect your system, but it has the potential to infect non-Debian systems. So just like COVID-19 infections, some people are carriers and show no impact/symptoms of infection, that does not mean they are not infected. It is just that they can deal with the infection but can cause infection in others. Therefore the request for all to mask up. Or in this case continue to use ClamAV.
Further documentation regarding this from horses mouth can be found over here. This documentation also statesPUA means "potential unwanted application". PUA are not virusses, those are claims by clamav that there is an application they consider "unwanted" because that file or extension have been proven to be abused in Windows
Go through this.PUA signatures are not as carefully curated as malware signatures because they are not as commonly used. You should expect more false positives when using PUA signatures
The second malware that has been detected is CVE_2012_1461-1. Now that is something you should look at. Not panic or get concerned about, just look at. This was identified in the year 2012 and is related to the gzip parser used in various anti-virus/malware software. Using this vulnerability, attackers might be able to infect machines using .tar.gz files.
Now since this was reported more than a decade ago, it is highly likey that this was already fixed. But yes malware bundles do tend to use exploits that have been reported in the past.allows remote attackers to bypass malware detection via a .tar.gz file with multiple compressed streams.
For your case the issue happens to be reported inside Firefox cache. So you must have visited sites which may or may not be infected. Purge the browser cache, stop any auto sync that you may or may not have setup and then run the scan again. After that run a periodically scan say every 30-60 minutes of using Firefox to identify if the same scan results show up. You will then be able to narrow down the website which is having the issue. Then you will be able to make a call.
If you have to visit websites which may be compromised, then please do consider using a restricted account and firejail/AppArmour with isolated Firefox. Setup Firefox to clean up browser cache at application close.
Dont worry and dont panic. It may all be a false positive. Emphasis on the word may. Use sensible precautions like Dont use root account, nor use Linux user account which has sudo or su capabilities, harden the linux system and keep system plus software upto date
Disclaimer: Many of the links that you will go through will say discontinue to use ClamAV. Or disable PUA scanning. That is not the correct approach IMHO. Many of us run dual boot systems. Or operate in a network which has multiple OS. Or use our systems as servers. So even if ClamAV is pointing towards a PUA which infects microsoft windows you should not ignore it. It may or may not infect your system, but it has the potential to infect non-Debian systems. So just like COVID-19 infections, some people are carriers and show no impact/symptoms of infection, that does not mean they are not infected. It is just that they can deal with the infection but can cause infection in others. Therefore the request for all to mask up. Or in this case continue to use ClamAV.
Statistics: Posted by DebianFox — 2025-01-16 06:34