Clamav antivirus false positive?

NethServer Version: NethServer release 7.6.1810 (final)

Hi everyone, using the programmed scan of clamav from today the system has detected several files infected with Win.Exploit.CVE_2019_0903-6966169-0 FOUND in .pdf file and even on a server system font file: rsfs10.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
False positive ?
Thank you

Installed Packages
Name : nethserver-clamscan
Arch : noarch
Version : 0.1.2
Release : 3.ns7.sdl
Size : 69 k
Repo : installed
From repo : stephdl

ClamAV update process started at Sun May 26 19:40:50 2019

main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

daily.cvd is up to date (version: 25461, sigs: 1581583, f-level: 63, builder: raynman)

bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)

Check the files with some other antivirus (virustotal…) but it appears to be a false positive:

thanks, anyway you had read one of the posts you listed me. I believe that this is a false positive.

Hi france,

I had the same error today. Clam found 100s files with: Win.Exploit.CVE_2019_0903-6966169-0 mainly in .ttf, .pdf, .png, …/Sent/…, .eot. Most of them in .pdf.

In WordPress, Links Checker was complaining and reported a few links not working. I checked around and the files were not in the folder it used to be.

In Thunderbird, I add a new account: root@myFQDN and in the last 2 reports from Clam, both from 03h47.

  1. Subject: Clam Antivirus Scan Results - Sun May 26 01:50:01 2019
    Lots of virus and files moved to quarantaine.

  2. Subject: /sbin/e-smith/nethserver-clamscan
    sh : ligne 1 : 416 Erreur de segmentation nice /usr/bin/clamscan --recursive --infected --stdout --max-files=10000 --max-filesize=45M --max-scansize=45M --max-recursion=16 --max-dir-recursion=15 --exclude-dir=^/boot --exclude-dir=^/proc --exclude-dir=^/sys --exclude-dir=^/usr/share/doc --exclude-dir=^/var/spool/clamav/quarantine --move=/var/spool/clamav/quarantine --official-db-only=yes --bytecode=yes --bytecode-timeout=120000 --scan-html=yes --max-htmlnormalize=45M --max-htmlnotags=45M --max-scriptnormalize=45M --scan-mail=yes --scan-archive=yes --scan-pdf=yes --scan-ole2=yes --scan-elf=yes --scan-pe=yes --max-embeddedpe=45M --max-iconspe=100 --scan-swf=yes --scan-xmldocs=yes --scan-hwp3=yes --max-rechwp3=16 / 2> /var/log/clamav/clamscan-errors.log

In NS web interface, the files were all in quarantaine and I released back all of them.

WorPress Link Checker stoped complaining.

Those PDF files are old and were transfered from SME-9.2 to NS-7.6.1810. In years, Clam never complained before.

What am I missing here?

Any help appreciated,


Nethserver 7.6.1810
We are seeing the same issue. Emails with attachments are being blocked ones without are OK. Addresses that are whitelisted not affected.
clamd[6379]: instream(local): Win.Exploit.CVE_2019_0903-6966169-0 FOUND
Preformatted text5.7.1 clamav: virus found: “Win.Exploit.CVE_2019_0903-6966169-0”;

Trying this workaround
Archlinux is having the same issue.

Hi Gordon.

According to: at the bottom of the page and

I desactivated Clam in web Interface.

touch /var/lib/clamav/whitelist.ign2

Edit /var/lib/clamav/whitelist.ign2 and add


I activated Clam in web Interface.

Hoping it want sabotage something…


1 Like

Hi again Gordon,

In the web interface, I checked Clam to see when was the last update:

 Last update
     1969-12-31 19:100:

This look 04:900 before the Big Bang for Linux (1970-01-01 00:00).
So I manually updated at the console with:


Web interface

 Last update
     2019-05-26 21:50

Right time.

Then I checked /var/lib/clamav/whitelist.ign2
No more there !!!
Disappeared or included in a .conf somewhere?

Time to take a break and think about something else for a while,


No our edit of the file remain. The process is described here
It is working for us.

Hi, the same situation very similar to yours.
Also happened to me on very old files (.pdf) transferred by time and from other computers.
However I have tried the change and it seems to work.
I noticed that the file is ignored from the shell running only clamscan. Activating from web-gui continues to detect the virus.
We are waiting for a new database to try again.

Known viruses: 6307256
Engine version: 0.101.2
Scanned directories: 2
Scanned files: 15
Infected files: 0
Scanned date: 17.86 MB
Data read: 16.23 MB (ratio 1.10: 1)
Time: 60.168 sec (1 m 0 s)

@dev_team Is it a bug?

With the gui you can enable a lot of settings that could make some false positive, the same setting must be used to compare

Yes, it’s a bug on clamav signature. We must wait the upstream fix :slight_smile:


Sure. Fortunately, the offending files have not been moved to quarantine but only detected, by my choice of option. For me it’s just due to the definitions. Different users of different distros have the same problem. Thanks Stèphane :pray:

Same problem here:

sh: line 1: 2014 Segmentation fault nice /usr/bin/clamscan --recursive --infected --stdout --max-files=10000 --max-filesize=45M --max-scansize=45M --max-recursion=16 --max-dir-recursion=15 --exclude-dir=^/boot --exclude-dir=^/proc --exclude-dir=^/sys --exclude-dir=^/usr/share/doc --exclude-dir=^/var/spool/clamav/quarantine --exclude-dir=^/var/squidguard/blacklists --exclude-dir=^/var/lib/urbackup --exclude-dir=^/etc/suricata/rules/ --exclude-dir=^/tmp/emerging.rules.tar.gz --exclude-dir=^/var/spool/clamav/quarantine --bytecode=yes --bytecode-timeout=120000 --scan-html=yes --max-htmlnormalize=45M --max-htmlnotags=45M --max-scriptnormalize=45M --scan-mail=yes --scan-archive=yes --scan-pdf=yes --scan-ole2=yes --scan-elf=yes --scan-pe=yes --max-embeddedpe=45M --max-iconspe=100 --scan-swf=yes --scan-xmldocs=yes --scan-hwp3=yes --max-rechwp3=16 --phishing-sigs=yes --phishing-scan-urls=yes / 2> /var/log/clamav/clamscan-errors.log

Let’s wait and see…

Can you please show your entry in “whitelist.ign2”?
If I enter Win.Exploit.CVE_2019_0903-6966169-0 I get this error: Scanned Folder: /ERROR: Malformed database. So how to format this entry correctly?


Edit: Please ignore this. I did a enter at the end of the line, so a new empty line was created. :blush:

hello unfortunately now the server is down. however if I remember correctly /var/lib/clamav/whitelist.ign2 is the same as yours. As previously written, the shell scan with clamascan does not report virus presence, but activating clamav on email filter on my server continues to give false detection.

1 Like

Just 1 line with
Most are holding but suspect we still have 1 server with the issue and the whitelist file.
grep -i exploit /var/log/maillog will show if it is blocking email

1 Like

Clamav signatures have been fixed, nobody should have problems now.


I can confirm it. Everything well again!

1 Like