This is a static archive of the old Zorin Forum.

The information below may be outdated. Visit the new Zorin Forum here ›

If you have registered on the old forum, you will need to create an account on the new forum.

Old Zorin Forum archiveHelp and Support

[SOLVEClamTk is buggin me! Or perhaps Steam is bad for you?

OldSchool40

Wed Nov 18, 2015 3:10:04 pm

Been experimenting with ClamTk scans earlier yesterday and got some crazy results! :o

Image

Now seeing this, I looked up some different things to uninstall Steam and I believe I got rid of most of it, but apparently there were still elements of my games left behind that the second scan picked up-is that all really malware!? As you can see I deleted those-but why is it registering the wine program as a PUA? I left that alone because I don't want to unintentionally fubar something without asking for advice first. Also-what are your suggestions for the best settings for ClamTk?

Swarfendor437

Wed Nov 18, 2015 10:01:13 pm

Hi,

Bearing in mind it appears that you are running Windows games inside of GNU/Linux this is probably why there are some false positives - bearing that in mind in the past there were some potential malware issues with Steam a few months ago on the Windows platform.

PUA means 'Potentially Unwanted Application' - so it could well be a false positive.

Take a look at this article for instance:

https://github.com/winpython/winpython. ... /issues/18

I haven't looked at Clam tk settings in any great detail but I guess there might be a section which allows you to 'ignore' such items?

I don't use Steam myself - I was trying to have a go a while back but some of the files are just too big and take forever to download. ;) :D

OldSchool40

Thu Nov 19, 2015 1:09:00 pm

Found some additional information here:
http://askubuntu.com/questions/488649/clamav-finding-threat-in-steam-file

Saw this quote:
This is a detection for files that use some kind of runtime packer. A runtime packer can be used to reduce the size of executable files without the need for an external unpacker. While this can‘t be considered malicious in general, runtime packers are widely used with malicious files since they can prevent a already known malware from detection by an Antivirus product.


Then I checked this recommended thread:
http://forums.clamwin.com/viewtopic.php?p=15591#15587

Found this which explains a lot:
Please turn off PUA detection, and do not use it again. It is broken!

PUA detection (Potentially Unwanted Applications) is for detecting files that are packed with packers used by malware or tools that could be used by malware (such as keyloggers, remote admin tools, some scripts, etc.). The problem is that both malware and "good" programs can use the same packers. Many "good" websites also use java scripts and other scripts that are put in your temporary internet folder that will be detected as PUA files. Many businesses use remote administration tools as well.

Since PUA detection is optionally selected by the user, Clam AV (Clam AV furnishes its scan engine and virus signatures to
ClamWin) does not make any adjustment to its PUA signatures. The PUA.Win32.Packer detections will detect many, many, many, many, many, many, good programs. If you use PUA detection with quarantine, it will quarantine important files in error, and you will not be able to restore them--because it will also quarantine the ClamWin quarantine restore program!

Use ClamWin to detect real viruses--not PUA. One last time... Do not use PUA detection. It is broken!


I suspect that programs that had windows type files or able to use them (like the Shadow Warrior game that was originally for windows and the wine program which is designed to use windows programs) were the trigger, not malaware-guess I'll have to leave PUA off!

Swarfendor437

Sat Nov 21, 2015 11:19:16 am

Hi, and thanks for the update - can this thread be [CLOSED] now? ;) :D

OldSchool40

Sun Nov 22, 2015 10:32:30 am

Sure, it's solved now. 8-)