Heuristics.Encrypted.PDF

L

ljety

Well-Known Member
Oct 25, 2018
56
17
48
Hi all,

ee use Mail Gateway 7.1-7. Now we got an e-mail with "virus detected: Heuristics.Encrypted.PDF (clamav)" inside.
Log:

Code: 
Sep 27 13:29:32 pmg postfix/smtpd[60467]: connect from mail-out.sender.com[141.xxx.xxx.xxx]
Sep 27 13:29:32 pmg postfix/smtpd[60467]: Anonymous TLS connection established from mail-out.sender.com[141.xxx.xxx.xxx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 27 13:29:32 pmg postfix/smtpd[60467]: 2D6E0C098F: client=mail-out.sender.com[141.xxx.xxx.xxx]
Sep 27 13:29:32 pmg postfix/cleanup[60470]: 2D6E0C098F: message-id=<0e299c112e6043d0b5d254bbd20eab15@sender.com>
Sep 27 13:29:32 pmg postfix/qmgr[892]: 2D6E0C098F: from=<user@sender.com>, size=80602, nrcpt=1 (queue active)
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: new mail message-id=<0e299c112e6043d0b5d254bbd20eab15@sender.com>#012
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: virus detected: Heuristics.Encrypted.PDF (clamav)
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: SA score=5/5 time=0.000 bayes=undefined autolearn=no hits=ClamAVHeuristics(5)
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: block mail to <user@receiver.de> (rule: Block Spam (Level 5))
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: processing time: 0.116 seconds (0, 0.054, 0)
Sep 27 13:29:32 pmg postfix/lmtp[60471]: 2D6E0C098F: to=<user@receiver.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.31, delays=0.18/0/0/0.13, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (C0B786332DE9C5641F))
Sep 27 13:29:32 pmg postfix/qmgr[892]: 2D6E0C098F: removed
Sep 27 13:29:37 pmg postfix/smtpd[60467]: disconnect from mail-out.sender.com[141.xxx.xxx.xxx] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

This e-mail was removed and its not in "attachment quarantine". Sender told us that attached PDF is not password protected or encrypted. What can I do?
 
how does your 'Block Spam (Level 5)' rule look like?
i'd change it to not block the mail, but quarantine (e.g. attachment quarantine) + ask the sender to send it again

without more info i'd simply say that either the pdf was encrypted/protected, or it's a false positive from clamav (which can happen ofc)
 
ok that rule only contains a 'block' action which will block the mail (as the name suggests) and no copy will be kept
 
yes, but rule "block viruses" is above "block spam (level 5)". If virus is detected, mail should be moved to quarantine, isn't it?
 
"Heuristiscs" are not counted as virus, but only add spam score (how much is configurable in Configuration->Spam detector->Options)
 
You must log in or register to reply here.
Top Bottom