I have to wonder about the value of chasing what might be a ClamAV FP (in the avast forums) when no other AVs detect it and it is a packer based detection ???
Well it has to do with avast, because they had several issues concerning PUA.Script.Packed malware in the sphere of right detects or FP’s and even non-detects. When I actually followed up the PUA.Script related malware at clean-mx I found some examples that avast does not detect. But I will generalize the question to “is this a FP?”.
All detetctions, and this list is not complete, that avast does not flag. The detection are for fake av cryptors,
I have reported about this to virus AT avast dot com before,
The real problem being the malware name given and it has two elements PUA, Potentially Unwanted Application (Not what you are stating PUE) and the Packed element. There are some AVs that alert on all indications of certain packers, regardless of content and in some cases don’t even unpack it or can’t.
Avast has probably the best packer support of most AVs so it would I believe be likely to have unpacked the script, given the web shield is very hot on the packed script detections.
Also considering this is a PUA, akin to the avast PUP, which is off by default in scans, so I don’t know if that is also the case in the VT scan.
Not to mention the original VT results are 1/42, which isn’t conducive to it being a good detection, especially when coming from just ClamAV.
Well what DavidR says in his reaction about the PUA detection actually has answered a lot of questions for me,
and has set my mind more at ease. PUP detection may be available!
I agree with DavidR also that the detection of packers and wrappers in the case of avast is of an excellent standard, as one of the mods here has explained to me. So I was aware of that fact. Whenever I see the use of “commercial on the fly online wrappers and obfuscation tools” I am afraid it is being used to get malware under the av-radar.
I immediately have reported the use of it to avast via mail, we see it as big clusters of obfuscated (obfuscation scrambling) code on webpages and especially one should be cautious whenever so-called “DNA scan” and “low quality scanner software” is concerned. To decide if something should be considered a PUP (when installed by the owner of the computer full knowing what the risks are, and where it is a risktool that the user has no knowledge of, is a difficult one. My advice would be to all avast users have PUP scanning and sandbox on by default and leave it on,