NethServer Community

Clamav claims to have found a virus, but the file should be virus-free

Luzern (Bryan) November 4, 2022, 8:41am 1

NethServer Version: 7.9.2009
Module: clamav

I have a problem with email attachments.

For the same file (a Excel file), it was sent to me last year with no problem. But the same file was sent to me today and NethServer system rejected the email. The following message appears in the sender’s return mail.

xxxx@xxxxxx.com: host 192.168.12.12[192.168.12.12] said: 554 5.7.1 clamav:
virus found:
“TwinWave.EvilDoc.PolicyKillzEXEInsideOleInsideArchiveExcel.20210423.UNOFFICIAL”
(in reply to end of DATA command)

I am sure the Excel file is virus free. How is it possible to get rid of this problem.
The Nethserver System and applications have been updated to the latest version.

mrmarkuz (Markus Neuberger) November 4, 2022, 9:47am 2

In the Antivirus settings you could disable the ClamAV official signatures and/or lower the Third-party signatures rating.

1 Like

filippo_carletti (Filippo Carletti) November 4, 2022, 1:43pm 3

Unfortunately no, the new TwinWave set of signatures can’t be controlled by the rating system.
The only option is to disable the signature.

echo "TwinWave.EvilDoc.PolicyKillzEXEInsideOleInsideArchiveExcel.20210423" >> /var/lib/clamav/mywhitelist.ign2
systemctl restart clamd@rspamd.service

BTW, the signature matches on xls files containing an executable, a very suspect thing.

1 Like

pike (Michael Kicks) November 4, 2022, 2:16pm 4

Shadiness level quit high indeed…

capote (Marko) November 5, 2022, 9:36am 6

Verify it also with Virustotal

Luzern (Bryan) November 7, 2022, 2:33am 7

Verified by Virustotal, not detected.
My temporary workaround was to add a rule in the Email > Filer > Rules to allow emails from the sender’s domain.

Thanks all advise.