ALL PDF files are blocked due to antivirus false positive

Bugs in eFa 4
Post Reply
User avatar
BOOZy
Posts: 39
Joined: 04 Oct 2017 13:17

ALL PDF files are blocked due to antivirus false positive

Post by BOOZy »

Virus (YARA.invalid_trailer_structure.UNOFFICIAL)

and Virus (YARA.possible_includes_base64_packed_functions.UNOFFICIAL)

Is there an workaround or update yet?
User avatar
BOOZy
Posts: 39
Joined: 04 Oct 2017 13:17

Re: ALL PDF files are blocked due to antivirus false positive

Post by BOOZy »

Fixed, I have disabled YARA rules in master.conf.
kicou
Posts: 1
Joined: 11 Jan 2021 19:41

Re: ALL PDF files are blocked due to antivirus false positive

Post by kicou »

Encountered the exact same issue today.

Instead of disabling Yara rules altogether (I use them),

in /etc/clamav-unofficial-sigs/user.conf commented out the line

Code: Select all

#yararulesproject_dbs_rating="HIGH"
and restarted clamscan

Code: Select all

systemctl restart clamd@scan
gewonecolalight
Posts: 5
Joined: 01 Apr 2017 16:11

Re: ALL PDF files are blocked due to antivirus false positive

Post by gewonecolalight »

I have the same issue and commented out the line that kicou said.

Now I have a bunch of emails that are marked as virus, but I have no option to release those emails. Some are important.
Is there a way to release them?

I searched in /var/spool/Mailscanner/quarantine/<date>/message, but I can't find them there.
jon doe
Posts: 19
Joined: 07 Feb 2017 16:26
Location: Canada

Re: ALL PDF files are blocked due to antivirus false positive

Post by jon doe »

I think I mentioned this in another thread but unless you are quarantining silent viruses in Mailscanner.conf, you cannot release them. I recommend that you turn that option on if you want to have the ability to do this.
gewonecolalight
Posts: 5
Joined: 01 Apr 2017 16:11

Re: ALL PDF files are blocked due to antivirus false positive

Post by gewonecolalight »

Ok Thank you.
Just enabled that option.
Post Reply