Does anyone know why the following might be happening? I'm running
ClamAV 0.99.1 on Linux and clamav-milter/sendmail to scan mail for
viruses. Everything runs fine. Today I had PDF (testfile.pdf) file
that was a false positive. Here are two problems I ran into.
1) When the testfile.pdf is scanned locally it is clean. Eg.
central(/temp): clamscan testfile.pdf
testfile.pdf: OK
----------- SCAN SUMMARY -----------
Known viruses: 6433527
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.15 MB
Data read: 0.06 MB (ratio 2.53:1)
Time: 24.159 sec (0 m 24 s)
But when the same file is being emailed in it is caught by clamav-milter
as a virus:
central(/var/adm): grep "Heuristics.Encrypted.PDF" clamav-milter.log
Message from <addr...@yahoo.com> to <localuser> infected by
Heuristics.Encrypted.PDF
Why?
2) I would also like to whitelist this signature so I add
"Heuristics.Encrypted.PDF" to local.ign2 in my database directory but
the file is still found as a virus by clamav-milter. Nothing changes.
central(/temp): uname -a
Linux central 3.10.18 #14 SMP Sun Jan 26 11:22:30 EST 2014 x86_64
Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz GenuineIntel GNU/Linux
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
