19 January

ClamAV False positives on PDF files

Written by 

Problem

ClamAv is classifying emails with PDF attachments as SPAM for no reason, as logs report:

./clamd.log

stream(127.0.0.1@1681): Heuristics.Encrypted.PDF FOUND
stream(127.0.0.1@2020): Heuristics.Encrypted.PDF FOUND
stream(127.0.0.1@1492): PUA.OLE.EmbeddedPDF FOUND

Solution

The solution provided by the website virustotal.com is to tell ClamAV to skip the a PUA filter, in this case adding to the clam configuration file the following lines:

./clamd.conf

DetectPUA yes
ExcludePUA OLE.EmbeddedPDF
ArchiveBlockEncrypted no

Dont forget to restart the ClamAV service / daemon to load the new configuration.

Usefull Links

Virustotal link: https://www.virustotal.com/

 

 

Read 9143 times Last modified on Saturday, 05 November 2016 19:40
Rate this item
(0 votes)

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Latest Posts

Contacts

João Vieira

Skype: jcv.pt

Email: info@joao-vieira.pt

About

This is my personal page, here you will find IT related, projects, discussions and reviews. Feel free to coment and leave your input.