Clamav claims to have found a virus, but the file should be virus-free

NethServer Version: 7.9.2009
Module: clamav

I have a problem with email attachments.

For the same file (a Excel file), it was sent to me last year with no problem. But the same file was sent to me today and NethServer system rejected the email. The following message appears in the sender’s return mail. host[] said: 554 5.7.1 clamav:
virus found:
(in reply to end of DATA command)

I am sure the Excel file is virus free. How is it possible to get rid of this problem.
The Nethserver System and applications have been updated to the latest version.

In the Antivirus settings you could disable the ClamAV official signatures and/or lower the Third-party signatures rating.

1 Like

Unfortunately no, the new TwinWave set of signatures can’t be controlled by the rating system.
The only option is to disable the signature.

echo "TwinWave.EvilDoc.PolicyKillzEXEInsideOleInsideArchiveExcel.20210423" >> /var/lib/clamav/mywhitelist.ign2
systemctl restart clamd@rspamd.service

BTW, the signature matches on xls files containing an executable, a very suspect thing.

1 Like

Shadiness level quit high indeed…

Verify it also with Virustotal

Verified by Virustotal, not detected.
My temporary workaround was to add a rule in the Email > Filer > Rules to allow emails from the sender’s domain.

Thanks all advise.