Virus Info: Heuristics.Encrypted.PDF

[Philipp]

Hello all,

we have contiously problems with mails being blocked by the (anti-) virus rule.

Matching Rule: Block Viruses Rule: Block Viruses Receiver: user@domain.de Action: block message Action: notify __ADMIN__ Virus Info: Heuristics.Encrypted.PDFThe senders of this kind of PDF swear they did not use any password or encrypting formats.
What is going on here ? How can we "whitelist" the senders domain, without overriding the virus rule ?
This seems to be a kind of "false positives" of one of the both virus scanners (AVIRA addon used here)

Any hints highly appreciated,
Philipp

 

[tom]

check the message tracking which av engine detected the email.

and save it as *.eml file and send it via password protected zip file to our support team via https://my.proxmox.com

 

[Philipp]

clamav detected it, but we blocked it, I think there is no mail file left, then.
We left the "default" Virus Block rule untouched.

- Philipp

 

[tom]

I suggest you replace "block" with "quarantine" to your virus rule.

 

[Philipp]

OK - will try this.
Maybe I can send in files tomorrow, then.
Bye,
Philipp

 

[Philipp]

A file has ben sent to support portal. - This PDF triggered the same behaviour as described before.

 

[haiberg]

Hi,
i have the same problem and its very annoying. Do you need more examples?
The "normal" clamav in version 0.97_2 and 0.97_3 didn't found any virus at these PDF files.

Best regards,
Christian

 

[tom]

Hi,
i have the same problem and its very annoying. Do you need more examples?
The "normal" clamav in version 0.97_2 and 0.97_3 didn't found any virus at these PDF files.

Best regards,
Christian

Pls disable the following clamAV option: "Configuration/Virus Detector/Options: Block encrypted archives"

 

[haiberg]

Hi Tom,
thanks for your answer. Sorry, but this is not a solution for us. Our customers want this option (Block encrypted archives)!
BTW: PDF is no archive and not also not encrypted.

We currently use the virus quarantine, but this is only a workaround.
Is this problem not solvable or you just work on it?

Best regards,
Christian

 

[Philipp]

This is no solution for us at all.
Not blocking encrypted archives is a very seriouis hole in the setup of an antivirus gateway.
We used to implement "exception" rules for special users, who are smart enough to handle a possibly infected attachment.
If we tear down the wall like suggested, this is inacceptable.

Regards, Philipp

 

[tom]

yes, its not the solution, I posted just a quick workaround. update/hotfix will follow as soon as possible.

 

[Philipp]

Hello Tom,
that is ok for me - as a temporary solution this works for us.
Thank you for the workaround , we are waiting for the hotfix, then.

Regards,
Philipp

 

[tom]

Hotfix is available, pls test.

http://www.proxmox.com/downloads/mail-gateway/servicepacks-and-hotfixes/106-hotfix2-6-5150

 

[haiberg]

Hi Tom,
thanks a lot, for this very fast update! I've just installed this patch.
I'll let you know if the "problem" occurs again.

Best regards,
Christian

 

[haiberg]

I think that the problem is solved. We had no Heuristics.Encrypted.PDF notifications the last 7 days.
Thanks again for the quick help!

Regards,
Christian

 

[skbj329]

I make the identical error and its sometimes stressful. Finish somebody have to have other examples?
Your "general" clamav across variation 0.97_2 and also 0.97_3 nevered access any kind of malware on these types of PDF computer files.

 

[Felton Image]

the problem you guys talked looks a little complex, I met some questions on the pdf conversion.