Hi,
Today I saw this in logs:
Nov 19 09:29:38 mailfilter-in MailScanner[4288]: Clamd::ERROR:: yy1.pdf/Access denied. ERROR :: ./0E75E100907.A0A5E/tnefGK2zbT
Nov 19 09:29:38 mailfilter-in MailScanner[4288]: Clamd::ERROR:: xx2.pdf/Access denied. ERROR :: ./0E75E100907.A0A5E/tnefGK2zbT
Nov 19 09:29:38 mailfilter-in MailScanner[4288]: Clamd::ERROR:: xx1.pdf/Access denied. ERROR :: ./0E75E100907.A0A5E/tnefGK2zbT
Is there something to be done?
Errors when checking PDF content
-
shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Errors when checking PDF content
Are these encrypted and/or password protected?
-
sfsolutions
- Posts: 15
- Joined: 16 Sep 2014 15:58
Re: Errors when checking PDF content
Hi,
we have the problem that password protected PDF files git banned. How can i change this behaviour ?
Best wishes
Niels
we have the problem that password protected PDF files git banned. How can i change this behaviour ?
Best wishes
Niels
-
sfsolutions
- Posts: 15
- Joined: 16 Sep 2014 15:58
Re: Errors when checking PDF content
this is the message:
Our content checker found
virus: Heuristics.Encrypted.PDF
Our content checker found
virus: Heuristics.Encrypted.PDF
-
shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Errors when checking PDF content
That's coming from ClamAV.
Is this set to no in /etc/MailScanner/MailScanner.conf?
Is this set to no in /etc/MailScanner/MailScanner.conf?
Code: Select all
Block Encrypted Messages = no
-
sfsolutions
- Posts: 15
- Joined: 16 Sep 2014 15:58
Re: Errors when checking PDF content
Hi,
yes. it is set to no.
Block Encrypted Messages = no
yes. it is set to no.
Block Encrypted Messages = no
-
shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Errors when checking PDF content
In /etc/clamd.conf:
Code: Select all
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted no-
sfsolutions
- Posts: 15
- Joined: 16 Sep 2014 15:58
Re: Errors when checking PDF content
it is set like you posted
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted no
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted no
-
shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Errors when checking PDF content
Seems to be an issue with the clamav 0.99.2
Might try this...
Might try this...
Code: Select all
sudo echo "Heuristics.Encrypted.PDF" >> /var/lib/clamav/local.ign2
sudo service clamd restart
-
sfsolutions
- Posts: 15
- Joined: 16 Sep 2014 15:58
Re: Errors when checking PDF content
hi,
i did. I see this:
[root@defender defendersf]# echo "Heuristics.Encrypted.PDF" >> /var/lib/clamav/local.ign2
[root@defender defendersf]# sudo service clamd restart
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon:
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[ OK ]
Best wishes
Niels
i did. I see this:
[root@defender defendersf]# echo "Heuristics.Encrypted.PDF" >> /var/lib/clamav/local.ign2
[root@defender defendersf]# sudo service clamd restart
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon:
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[ OK ]
Best wishes
Niels
-
shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Errors when checking PDF content
You can ignore those errors. They are yara rules that are only applicable on windows.
-
sfsolutions
- Posts: 15
- Joined: 16 Sep 2014 15:58
Re: Errors when checking PDF content
Hi, encrypted files get still blocked.
How can i remove this encrypted block completely ?
THX and best wishes
Niels
How can i remove this encrypted block completely ?
THX and best wishes
Niels