NethServer Version: NethServer release 7.9.2009 (final)
Module: antivirus (clamav)
Success in the year 2023!
For several days (end of December), clamav has been detecting certain attachments (PDF) with viruses…
Today I managed to have the files sent to Gmail and I was able to download and scan them with the antivirus in virustotal, forticlient(web scan) and in windows; in all of these the result was negative.
I’m following this thread : Clamav antivirus false positive?
In the GUI disable and reactivate the antivirus:
Then I create/added this signature on whitelist:
cat /var/lib/clamav/whitelist.ign2
TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL
But I still got this Error:
Sending of the message failed.
An error occurred while sending mail. The mail server responded: clamav: virus found: “TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL”. Please check the message and try again.
How can I be sure that the whitelist is working?
Regards and thanks.
From the logs
Jan 4 14:28:30 em clamd[6775]: instream(local): TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL FOUND
Jan 4 14:28:30 em rspamd[9941]: <592697>; lua; common.lua:110: clamav: result - virusfound: "TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL - score: 1"
Jan 4 14:28:30 em rspamd[9941]: <592697>; proxy; rspamd_add_passthrough_result: <70ab457a-8c80-a487-def1-4f6a48940779@myserver.com>: set pre-result to 'reject' (no score): 'clamav: virus found: "TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL"' from clamav(1)
Jan 4 14:28:30 em rspamd[9941]: <592697>; proxy; rspamd_task_write_log: id: <70ab457a-8c80-a487-def1-4f6a48940779@myserver.com>, qid: <E5759F24AC>, ip: 192.168.22.22, user: user1, from: <myemail@myserver.com>, (default: T (reject): [91.12/20.00] [CLAM_VIRUS(90.00){TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL;},R_MIXED_CHARSET(1.25){subject;},GENERIC_REPUTATION(-0.52){-0.52944943431786;},R_PARTS_DIFFER(0.50){100.0%;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},FREEMAIL_ENVRCPT(0.00){gmail.com;},FREEMAIL_TO(0.00){gmail.com;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_ORG_HEADER(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:~;4:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 143477, time: 305.239ms, dns req: 0, digest: <1e70bf0770dea8d3552e92f748f53b36>, rcpts: <mailaddr@gmail.com>, mime_rcpts: <mailaddr@gmail.com>, forced: reject "clamav: virus found: "TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL""; score=nan (set by clamav), settings_id: authenticated
Jan 4 14:28:30 em rspamd[9941]: <592697>; proxy; rspamd_protocol_http_reply: regexp statistics: 65 pcre regexps scanned, 6 regexps matched, 172 regexps total, 14 regexps cached, 2.81KiB scanned using pcre, 2.81KiB scanned total
Jan 4 14:28:30 em postfix/cleanup[12665]: E5759F24AC: milter-reject: END-OF-MESSAGE from unknown[192.168.22.22]: 5.7.1 clamav: virus found: "TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL"; from=<myemail@myserver.com> to=<mailaddr@gmail.com> proto=ESMTP helo=<[192.168.22.22]>
Jan 4 14:28:30 em rspamd[9941]: <a31909>; proxy; proxy_milter_finish_handler: finished milter connection