Ubuntu – ClamAV PUA.Win32.Packer.PrivateExeProte-7

14.04antivirusclamavmalwaremono

I ran ClamAV on my system and it reported two detections.

It reported PUA.Win32.Packer.PrivateExeProte-7 in:

/usr/lib/mono/4.0/mscorlib.dll
/urs/lib/mono/4.5/mscorlib.dll

It says Action taken: None, and I basically have the option to quarantine those files. Is this a virus, trojan or some other malware? I see that my installation of Ubuntu 14.04 has Mono installed (I would assume it was installed by default when I installed the system because I don't remember installing it myself). If this really is malware and I quarantine and remove these files would I break anything?

I also have Windows 7 installed along my Ubuntu 14.04 system and I use ClamAV to protect that system from possibly getting infected and because I wouldn't want to spread possible malware to someone else who uses a Windows OS. I don't have Wine installed.

I tried looking online on various forums but I find conflicting reports and opinions on what this is so that's why I'm asking this question here.

Best Answer

  • The PUA mean "Potentially Unwanted Application", so it's a fairly low priority alert anyway.

    The rest of the definition suggests it has found a Windows binary format that is compressed in such a way that makes introspection difficult for antivirus applications. That makes it invaluable for malware authors because they can keep changing the signature on their malware to evade detection.

    In this case, I think it's just symptomatic of how Mono is built and ClamAV being over-suspicious. I ran a copy of my mscorelib.dlls through VirusTotal and it came back clean. I suggest you do the same.


    If this really is malware and I quarantine and remove these files would I break anything?

    It'd break Mono but if it is infected, that wouldn't be awful. You'd just want to reinstall the Mono packages.