ClamAV on PMG not detecting malicious PDF (VirusTotal flags it as infected)

[vusald]

Hi,
we're running Proxmox Mail Gateway 9.x with the built-in ClamAV daemon enabled (clamav-daemon, freshclam working fine, latest signatures).
The antivirus engine seems to scan messages (EICAR test works), but real malicious PDFs are passing through without detection.

Today we received an email from mokhov@mail.ioffe.ru via our PMG. It contained a PDF attachment that is flagged as malicious by VirusTotal (multiple engines), yet ClamAV did not detect anything. The PMG logs show:

pmg-smtp-filter[...] AC12EE69009937B9A0F: SA score=0/5 ...
pmg-smtp-filter[...] AC12EE69009937B9A0F: accept mail to <s.tariyel@domain.tld> (rule: default-accept)

No ClamAV: Found virus line, no quarantine, message was delivered to Exchange. And it is not for the first time. We had a similar incident about 3–4 months ago — another PDF with a confirmed malware payload passed through PMG completely undetected by ClamAV. So EICAR is caught, but real-world malicious PDFs (confirmed by VirusTotal) are not.

And actually I’m curious — how did they get so many addresses… and all of them correct… And the outgoing mail — it’s probably an automatic delivery notificationю Anyway I deleted all mails from this guy from our exchange server

 

[Onslow]

a PDF attachment that is flagged as malicious by VirusTotal (multiple engines), yet ClamAV did not detect anything.

Hi. Does ClamAV at VirusTotal detect it as malware? [1]

If not, then it's expected that your ClamAV doesn't flag it, either.

If yes, then you can investigate, why yours doesn't.

[1] I'm asking because at the moment I can't download the attachment and check it myself.

 

[Onslow]

I've checked. "8/64 security vendors flagged this file as malicious". So it may or may be not malicious.

Anyway, ClamAV at virustotal isn't detecting it (yet?). So it's no surprise that yours isn't.