Heuristics.Encrypted.PDF

L

ljety

Well-Known Member
Oct 25, 2018
56
16
48
Hi all,

ee use Mail Gateway 7.1-7. Now we got an e-mail with "virus detected: Heuristics.Encrypted.PDF (clamav)" inside.
Log:

Code: 
Sep 27 13:29:32 pmg postfix/smtpd[60467]: connect from mail-out.sender.com[141.xxx.xxx.xxx]
Sep 27 13:29:32 pmg postfix/smtpd[60467]: Anonymous TLS connection established from mail-out.sender.com[141.xxx.xxx.xxx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 27 13:29:32 pmg postfix/smtpd[60467]: 2D6E0C098F: client=mail-out.sender.com[141.xxx.xxx.xxx]
Sep 27 13:29:32 pmg postfix/cleanup[60470]: 2D6E0C098F: message-id=<0e299c112e6043d0b5d254bbd20eab15@sender.com>
Sep 27 13:29:32 pmg postfix/qmgr[892]: 2D6E0C098F: from=<user@sender.com>, size=80602, nrcpt=1 (queue active)
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: new mail message-id=<0e299c112e6043d0b5d254bbd20eab15@sender.com>#012
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: virus detected: Heuristics.Encrypted.PDF (clamav)
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: SA score=5/5 time=0.000 bayes=undefined autolearn=no hits=ClamAVHeuristics(5)
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: block mail to <user@receiver.de> (rule: Block Spam (Level 5))
Sep 27 13:29:32 pmg pmg-smtp-filter[59726]: C0B786332DE9C5641F: processing time: 0.116 seconds (0, 0.054, 0)
Sep 27 13:29:32 pmg postfix/lmtp[60471]: 2D6E0C098F: to=<user@receiver.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.31, delays=0.18/0/0/0.13, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (C0B786332DE9C5641F))
Sep 27 13:29:32 pmg postfix/qmgr[892]: 2D6E0C098F: removed
Sep 27 13:29:37 pmg postfix/smtpd[60467]: disconnect from mail-out.sender.com[141.xxx.xxx.xxx] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

This e-mail was removed and its not in "attachment quarantine". Sender told us that attached PDF is not password protected or encrypted. What can I do?
 
how does your 'Block Spam (Level 5)' rule look like?
i'd change it to not block the mail, but quarantine (e.g. attachment quarantine) + ask the sender to send it again

without more info i'd simply say that either the pdf was encrypted/protected, or it's a false positive from clamav (which can happen ofc)
 
ok that rule only contains a 'block' action which will block the mail (as the name suggests) and no copy will be kept
 
yes, but rule "block viruses" is above "block spam (level 5)". If virus is detected, mail should be moved to quarantine, isn't it?
 
"Heuristiscs" are not counted as virus, but only add spam score (how much is configurable in Configuration->Spam detector->Options)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back