ClamAV - Hardening - bugs

Yes, I am still testing in between my day job and I have found a few more problems.
This is mainly related to the application LXC server but these test have implications for the laptop and desktop configuration as well.

As per below.

Interesting results indeed. Let me break down what actually happened, because the headline number is misleading.

First, a real bug to fix: every scan line shows WARNING: Ignoring unsupported option --recursive (-r). clamdscan recurses into directories by default and does not accept --recursive — that flag is for the standalone clamscan, not the daemon client. The scan still worked (clamdscan recursed anyway), but the flag is wrong and should be removed. More on that below.

Now the 22 "threats" — almost all false positives:

The breakdown by signature type:

• 17 × Heuristics.Broken.Media.JPEG.* — these are not malware at all. They're heuristic flags for malformed JPEG structures (duplicate APP markers, bad marker positions) embedded inside the PDFs. Old scanned-book PDFs are full of these — the embedding tools produced technically non-conformant JPEGs. ClamAV's AlertBrokenMedia yes setting (which we enabled) is what's catching them. These are benign.
• 3 × Sanesecurity.Phishing.* (Penetration Testing And Network Defense ×2, The Art of Deception) — Sanesecurity phishing signatures matching text inside security textbooks. A book about phishing and social engineering contains the exact strings the signatures hunt for. Textbook false positives.
• 2 × PUA.* (Hacking The Next Generation → Autorun, Mastering Modern Web Penetration Testing → Html.Trojan.Agent) — Potentially Unwanted Application heuristics. These are pentest books containing example payloads, autorun samples, and web-attack snippets as teaching material. DetectPUA yes flagged the sample code. Expected for security training content.
• 1 × Scorpion-Abstract_o.jpg (Heuristics.Broken.Media.JPEG.JFIFmarkerBadPosition) — your Ghost blog header image, another broken-media heuristic. Benign.

So: zero actual malware. Every hit is a heuristic or content-match false positive driven by the nature of your library — a cybersecurity book collection is the worst-case input for phishing/PUA/macro signatures, because the books legitimately contain and discuss the very things the signatures detect.

The irony is sharp: your pentest bookshelf got quarantined for containing pentest material.

What I'd recommend:

1. Fix the --recursive flag — remove it from the generated scan script. It's harmless but wrong and clutters every log line.
2. Restore the quarantined files — they're all in /var/quarantine/clamav/. None are threats.
3. Decide on a Grimmory exclusion strategy. Three options, in order of how I'd rank them:
   • Disable AlertBrokenMedia and DetectPUA for the scheduled scan — kills the JPEG/PUA noise (19 of 22) while keeping real signature detection. Cleanest.
   • Exclude /srv/grimmory/books from the scheduled scan entirely — it's a curated personal library, not an ingestion point. The real risk path is bookdrop (on-access blocking already covers it). Drop the static library from nightly scans.
   • Add the broken-media/PUA signature names to a local whitelist (.ign2 file) — most surgical but most fiddly to maintain.

My instinct: option 3b + 3a combined. The book library is curated content you already trust — scan the bookdrop ingestion point (on-access, real-time) but drop the static books tree from the nightly sweep, and turn off AlertBrokenMedia/DetectPUA so the heuristic noise stops on everything else too.

But before changing anything — one genuine question worth your judgement: do you want PUA detection off? On a pentest library it's pure noise, but PUA can catch real unwanted bundleware elsewhere on the system. You could keep DetectPUA on globally and just exclude the books tree. Which way do you want to lean — quieter, or more thorough?

Decisions, decisions - not been making good ones lately.

I will replace the code, when I get it behaving the way I intended.

#enoughsaid.