Page 1 of 1
Errors when checking PDF content
Posted: 19 Nov 2016 07:31
by tentaclefi
Hi,
Today I saw this in logs:
Nov 19 09:29:38 mailfilter-in MailScanner[4288]: Clamd::ERROR:: yy1.pdf/Access denied. ERROR :: ./0E75E100907.A0A5E/tnefGK2zbT
Nov 19 09:29:38 mailfilter-in MailScanner[4288]: Clamd::ERROR:: xx2.pdf/Access denied. ERROR :: ./0E75E100907.A0A5E/tnefGK2zbT
Nov 19 09:29:38 mailfilter-in MailScanner[4288]: Clamd::ERROR:: xx1.pdf/Access denied. ERROR :: ./0E75E100907.A0A5E/tnefGK2zbT
Is there something to be done?
Re: Errors when checking PDF content
Posted: 23 Nov 2016 23:57
by shawniverson
Are these encrypted and/or password protected?
Re: Errors when checking PDF content
Posted: 06 Jan 2017 16:36
by sfsolutions
Hi,
we have the problem that password protected PDF files git banned. How can i change this behaviour ?
Best wishes
Niels
Re: Errors when checking PDF content
Posted: 06 Jan 2017 16:40
by sfsolutions
this is the message:
Our content checker found
virus: Heuristics.Encrypted.PDF
Re: Errors when checking PDF content
Posted: 07 Jan 2017 01:12
by shawniverson
That's coming from ClamAV.
Is this set to no in /etc/MailScanner/MailScanner.conf?
Re: Errors when checking PDF content
Posted: 11 Jan 2017 09:37
by sfsolutions
Hi,
yes. it is set to no.
Block Encrypted Messages = no
Re: Errors when checking PDF content
Posted: 12 Jan 2017 00:44
by shawniverson
In /etc/clamd.conf:
Code: Select all
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted no
Re: Errors when checking PDF content
Posted: 12 Jan 2017 10:19
by sfsolutions
it is set like you posted
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted no
Re: Errors when checking PDF content
Posted: 13 Jan 2017 12:04
by shawniverson
Seems to be an issue with the clamav 0.99.2
Might try this...
Code: Select all
sudo echo "Heuristics.Encrypted.PDF" >> /var/lib/clamav/local.ign2
sudo service clamd restart
Re: Errors when checking PDF content
Posted: 13 Jan 2017 15:58
by sfsolutions
hi,
i did. I see this:
[root@defender defendersf]# echo "Heuristics.Encrypted.PDF" >> /var/lib/clamav/local.ign2
[root@defender defendersf]# sudo service clamd restart
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon:
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[ OK ]
Best wishes
Niels
Re: Errors when checking PDF content
Posted: 13 Jan 2017 17:59
by shawniverson
You can ignore those errors. They are yara rules that are only applicable on windows.
Re: Errors when checking PDF content
Posted: 25 Jan 2017 13:08
by sfsolutions
Hi, encrypted files get still blocked.
How can i remove this encrypted block completely ?
THX and best wishes
Niels