in a special secured mailsystem we receive false-positives at mails with attachments contain html-containers. This only happens with the unofficial virus-signatures of ClamAV. On testing with official signatures it doesn’t happen.
ClamAV matches with:
/home/SecuredHtml.html: TwinWave.EvilHTML.QakyDoRight.20220909.UNOFFICIAL FOUND
In nethserver the ClamAV uses unofficial virus-signatures. What’s the reason for using the unofficials?
Because of higher memory consumption, low detection rate of current threads and historically some false positives, from official signatures.
ClamAV official signatures: enable or disable official signatures. These signatures detect many old threats but are not very effective against the latest malware. Usage of official signatures is discouraged on machines with less than 4GB of RAM. Source nethserver-antivirus — NethServer 7 documentation