On 01/25/2012 05:02 PM, [Cardiff] Tugdual de LASSAT wrote: > Hello the list.. > > I have a problem, i wish to submit to your review... > We run 4 years discontinuating, an Exim+Clamav mail server solution that ran > smoothly to our needs, until recent internal false positive has been > signaled... > > One of our members is trying to send internally an email containing a > powerpoint that is virus free (check with 3 antivirus), and that I have > checked through clamav on the machine that detects it as virus.. > Result of clamscan is eloquent : > > #clamscan selsia.ppt > selsia.ppt: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 2300132 > Engine version: 0.97.3 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 1.21 MB > Data read: 0.33 MB (ratio 3.68:1) > Time: 12.030 sec (0 m 12 s) > > But as soon as it is sent by email : Here is the return of the clamd daemon > running on socket : > > Wed Jan 25 15:27:16 2012 -> Accepted connection from 127.0.0.1 on port 1725, > fd 12 Wed Jan 25 15:27:16 2012 -> stream(127.0.0.1@1725): > Heuristics.OLE2.ContainsMacros(41bd4de162009c267a78bca387d83f99:157035) > FOUND
This just means that your document contains macros (whether malicious or not) Either remove the macros from the document, or disable this check. Are the macros required in the document? > > Sending to exim a reject that is logged as : > 2012-01-25 15:27:16 1Rq3oh-00055z-TW H=xxx.ip.network-consulting.fr > (glenmorangie.xxxxx.fr) [79.98.xx.xx] F=<x...@xxxxx.fr> rejected after DATA: > This message contains a virus or other harmful content > (virus_in_message:157035)) > > I do understant that it is the function OLE2ContainsMacros function I > activated that is in cause, but aren't signatures used between daemon and > clamscan the same ? You have OLE2BlockMacros on in clamd.conf. Disable it if you don't need it. clamscan doesn't have a similar option, probably a bug. > Why does this false positive happen and does anyone have an idea how to > solve it without removing this scan (we happen to have occasionnal real > virus attempts in ppt) > Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
