Hello the list.. I have a problem, i wish to submit to your review... We run 4 years discontinuating, an Exim+Clamav mail server solution that ran smoothly to our needs, until recent internal false positive has been signaled...
One of our members is trying to send internally an email containing a powerpoint that is virus free (check with 3 antivirus), and that I have checked through clamav on the machine that detects it as virus.. Result of clamscan is eloquent : #clamscan selsia.ppt selsia.ppt: OK ----------- SCAN SUMMARY ----------- Known viruses: 2300132 Engine version: 0.97.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 1.21 MB Data read: 0.33 MB (ratio 3.68:1) Time: 12.030 sec (0 m 12 s) But as soon as it is sent by email : Here is the return of the clamd daemon running on socket : Wed Jan 25 15:27:16 2012 -> Accepted connection from 127.0.0.1 on port 1725, fd 12 Wed Jan 25 15:27:16 2012 -> stream(127.0.0.1@1725): Heuristics.OLE2.ContainsMacros(41bd4de162009c267a78bca387d83f99:157035) FOUND Sending to exim a reject that is logged as : 2012-01-25 15:27:16 1Rq3oh-00055z-TW H=xxx.ip.network-consulting.fr (glenmorangie.xxxxx.fr) [79.98.xx.xx] F=<x...@xxxxx.fr> rejected after DATA: This message contains a virus or other harmful content (virus_in_message:157035)) I do understant that it is the function OLE2ContainsMacros function I activated that is in cause, but aren't signatures used between daemon and clamscan the same ? Why does this false positive happen and does anyone have an idea how to solve it without removing this scan (we happen to have occasionnal real virus attempts in ppt) Thanks for your kind answer.. T. de LASSAT _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
