False Positive: PUA.Pdf.Trojan.EmbeddedJavaScript-1

[xthursdayx]

I'm receiving false positives for a number (hundreds) of pdf files with the supposed infection: PUA.Pdf.Trojan.EmbeddedJavaScript-1

I'm wondering if there is a way to whitelist these files or prevent this false positive from happening.

I've searched the web and all I've found is other people having this issue with email signatures while running Mailcow or other services. It seems that they solved this by either disabling PUA detection or by creating whitelist.ign2 or local.ign2 file that included the falsely positive signatures. I'd prefer not to disable PUA detection and it would be impossible to whitelist all of the pdfs, so I'm wondering if you have any idea why this is happening or how I might fix it?

For reference:
mailcow/mailcow-dockerized#2358
https://www.clamav.net/documents/how-do-i-ignore-whitelist-a-clamav-signature

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[wwwindisch]

The solution is to change in the /etc/clamav/clamd.conf the line

DetectPUA yes to DetectPUA no

You could e.g. do this by having the configs in an external volume. If you are a yml file with docker -compose, you could just add something like:

    volumes:
      - "./config_volumes/clamav/config:/etc/clamav"

after copying the content of /etc/clamav inside the container to .../config_volumes/clamav/config in the hist system an changing the aforementioned line. Then the chances are persistent.