I recently started using the 'clamav-unofficial-sigs' script
(https://github.com/extremeshok/clamav-unofficial-sigs/) and noticed,
that some 'unofficial' detections are blocked properly, while others are
just '/turned into a spam report/'.
Here's a part of the log for one that's blocked:
(07385-19) run_av (ClamAV-clamd):
/var/spool/amavis/tmp/amavis-20201015T100234-07385-bZgYJcQq/parts INFECTED:
Porcupine.Junk.40702.UNOFFICIAL
(07385-19) virus_scan: (Porcupine.Junk.40702.UNOFFICIAL), detected by 1
scanners: ClamAV-clamd
(07385-19) Blocked INFECTED (Porcupine.Junk.40702.UNOFFICIAL)
{DiscardedInbound,Quarantined}, ...
And here's a part of the log for one that's merely converted to a spam
report:
(20911-18) run_av (ClamAV-clamd):
/var/spool/amavis/tmp/amavis-20201015T110518-20911-6Oyb0AUP/parts INFECTED:
Sanesecurity.Badmacro.Doc.ArrWind1.UNOFFICIAL,
Sanesecurity.Badmacro.Doc.ArrWind1.UNOFFICIAL
(20911-18) Turning AV infection into a spam report: score=0.1,
AV:Sanesecurity.Badmacro.Doc.ArrWind1.UNOFFICIAL=0.1
Why is that? What setting controls that?
Regards,
Danilo
