Joao Vieira - ClamAV False positives on PDF files

19 January

ClamAV False positives on PDF files

Written by João Vieira

Published in Products & Reviews

Tagged under

PUAOLEEmbeddedPDF
HeuristicsEncryptedPDF
clamd

Be the first to comment!

Problem

ClamAv is classifying emails with PDF attachments as SPAM for no reason, as logs report:

./clamd.log

stream(127.0.0.1@1681): Heuristics.Encrypted.PDF FOUND
stream(127.0.0.1@2020): Heuristics.Encrypted.PDF FOUND
stream(127.0.0.1@1492): PUA.OLE.EmbeddedPDF FOUND

Solution

The solution provided by the website virustotal.com is to tell ClamAV to skip the a PUA filter, in this case adding to the clam configuration file the following lines:

./clamd.conf

DetectPUA yes
ExcludePUA OLE.EmbeddedPDF
ArchiveBlockEncrypted no

Dont forget to restart the ClamAV service / daemon to load the new configuration.

Usefull Links

Virustotal link: https://www.virustotal.com/

Read 8391 times Last modified on Saturday, 05 November 2016 19:40

font size decrease font size increase font size

Rate this item

(0 votes)

João Vieira

Latest from João Vieira

My Feedback
Leave Feedback
DNS Blacklists queries fails : No data of the requested type was found
Windows Server 2008 DNS does not resolve queries.
How to find out which folders are eating / occupy disk space on your linux server