Virus Info: Heuristics.Encrypted.PDF

Philipp

New Member
Nov 22, 2009
16
0
1
Hello all,

we have contiously problems with mails being blocked by the (anti-) virus rule.

Matching Rule: Block Viruses Rule: Block Viruses Receiver: user@domain.de Action: block message Action: notify __ADMIN__ Virus Info: Heuristics.Encrypted.PDFThe senders of this kind of PDF swear they did not use any password or encrypting formats.
What is going on here ? How can we "whitelist" the senders domain, without overriding the virus rule ?
This seems to be a kind of "false positives" of one of the both virus scanners (AVIRA addon used here)

Any hints highly appreciated,
Philipp
 
check the message tracking which av engine detected the email.

and save it as *.eml file and send it via password protected zip file to our support team via https://my.proxmox.com
 
clamav detected it, but we blocked it, I think there is no mail file left, then.
We left the "default" Virus Block rule untouched.

- Philipp
 
I suggest you replace "block" with "quarantine" to your virus rule.
 
A file has ben sent to support portal. - This PDF triggered the same behaviour as described before.
 
Hi,
i have the same problem and its very annoying. Do you need more examples?
The "normal" clamav in version 0.97_2 and 0.97_3 didn't found any virus at these PDF files.

Best regards,
Christian
 
Last edited:
Hi,
i have the same problem and its very annoying. Do you need more examples?
The "normal" clamav in version 0.97_2 and 0.97_3 didn't found any virus at these PDF files.

Best regards,
Christian

Pls disable the following clamAV option: "Configuration/Virus Detector/Options: Block encrypted archives"
 
Hi Tom,
thanks for your answer. Sorry, but this is not a solution for us. Our customers want this option (Block encrypted archives)!
BTW: PDF is no archive and not also not encrypted.

We currently use the virus quarantine, but this is only a workaround.
Is this problem not solvable or you just work on it?

Best regards,
Christian
 
This is no solution for us at all.
Not blocking encrypted archives is a very seriouis hole in the setup of an antivirus gateway.
We used to implement "exception" rules for special users, who are smart enough to handle a possibly infected attachment.
If we tear down the wall like suggested, this is inacceptable.

Regards, Philipp
 
yes, its not the solution, I posted just a quick workaround. update/hotfix will follow as soon as possible.
 
Hello Tom,
that is ok for me - as a temporary solution this works for us.
Thank you for the workaround , we are waiting for the hotfix, then.

Regards,
Philipp
 
Hi Tom,
thanks a lot, for this very fast update! I've just installed this patch.
I'll let you know if the "problem" occurs again.

Best regards,
Christian
 
I think that the problem is solved. We had no Heuristics.Encrypted.PDF notifications the last 7 days.
Thanks again for the quick help!

Regards,
Christian
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!