[clamav-users] Whitelisting issue
Reindl Harald
h.reindl at thelounge.net
Tue Nov 28 00:41:29 UTC 2017
Am 28.11.2017 um 01:24 schrieb Curtis Vaughan:
> Using clamav on an Ubuntu Server postfix system. We have an issue where
> so far just Excel (xlxs) files are getting false flagged as having the
> following virus:
>
> 250 2.7.0 Ok, discarded, id=14037-01 - INFECTED:
> Emf.Exploit.CVE_2017_16395-6376329-0
>
> Virus scanner output:
> p003: Emf.Exploit.CVE_2017_16395-6376329-0 FOUND
> p005: Emf.Exploit.CVE_2017_16395-6376329-0 FOUND
>
> Having searched up information I found it's probably easiest just to
> whitelist this signature. However, whatever I do doesn't seem to work.
> I have added CVE_2017_16395-6376329-0
> to a file at /var/lib/clamav/whitelist.ign2 as well as to
> whitelist-signatures.ign2 since there are references out on the internet
> to name the file one way or the other. Since it wasn't working, I
> changed user and group to clamav on these files. I also reloaded
> clamav-daemon. But still the files are quarantined as infected.
> Any other clues?
CVE_2017_16395-6376329-0 != Emf.Exploit.CVE_2017_16395-6376329-0
it don't matter how the ign2 file is named because that way you can have
distributed ones like from sancesecurity and your owns as you have the
same way different sigfiles from different sources with the same extension
More information about the clamav-users
mailing list