I recently started using the 'clamav-unofficial-sigs' script (https://github.com/extremeshok/clamav-unofficial-sigs/) and noticed, that some 'unofficial' detections are blocked properly, while others are just '/turned into a spam report/'.
Here's a part of the log for one that's blocked: (07385-19) run_av (ClamAV-clamd): /var/spool/amavis/tmp/amavis-20201015T100234-07385-bZgYJcQq/parts INFECTED: Porcupine.Junk.40702.UNOFFICIAL (07385-19) virus_scan: (Porcupine.Junk.40702.UNOFFICIAL), detected by 1 scanners: ClamAV-clamd (07385-19) Blocked INFECTED (Porcupine.Junk.40702.UNOFFICIAL) {DiscardedInbound,Quarantined}, ... And here's a part of the log for one that's merely converted to a spam report: (20911-18) run_av (ClamAV-clamd): /var/spool/amavis/tmp/amavis-20201015T110518-20911-6Oyb0AUP/parts INFECTED: Sanesecurity.Badmacro.Doc.ArrWind1.UNOFFICIAL, Sanesecurity.Badmacro.Doc.ArrWind1.UNOFFICIAL (20911-18) Turning AV infection into a spam report: score=0.1, AV:Sanesecurity.Badmacro.Doc.ArrWind1.UNOFFICIAL=0.1 Why is that? What setting controls that? Regards, Danilo