CLAM is blocking pdf attachments

Active8

Active8

Verified User
Joined
Jul 13, 2013
Messages
1,828
Hi since 2 day our server are blocking pdf attachments

In the first place we thought dat was because of the user has virus on his pc but we made self checks and our attachments where recognized as virus
I have checked the pdf im sending with virustotal and didn't find any virus except clam av:

ClamAV : Win.Exploit.CVE_2019_0903-6966169-0
using latest versionsclam definitions : dbg: channel: current version is 1859919, new version is 1859919, skipping channel

We are considering now to disable clam because of this , have other people problem like this ?
 
Last edited:
Solution for you...

This issue is not only related to *.pdf but also filetypes as .zip, wolff, etc. If you run a scan in /home directory (clamscan -r --bell -i /home), you will see.
ClamAV must push out some new signature/db files.

Meanwhile you can disable ClamAV or whitelist/ignore the signature it. I have a one-command for you guys (for directadmin)

Login as root and execute this:

Code: 
echo "Win.Exploit.CVE_2019_0903-6966169-0" >> /usr/local/share/clamav/whitelist-local.ign2

This would whitelist the signature meanwhile ClamAV pushout a fix! Try to run another scan
Code: 
clamscan -r --bell -i /home
- and voila! no false positive alerts!

:rolleyes:
 
Tonight we also received hundreds of false/positive during our nightly maldet run (wich also uses clamav), we got false positive on mostly WordPress sites wich uses FontAwesome and also some other fonts. They would turn up in the scan report like this:

Code: 
{CAV}Win.Exploit.CVE_2019_0903-6966169-0 : /home/USER/domains/DOMAIN.COM/public_html/wp-content/themes/dt-the7/fonts/FontAwesome/webfonts/fa-regular-400.eot

{CAV}Win.Exploit.CVE_2019_0903-6966169-0 : /home/USER/domains/DOMAIN.COM/public_html/wp-content/themes/dt-the7/fonts/FontAwesome/webfonts/fa-regular-400.ttf
 
lowprofile said:
This issue is not only related to *.pdf but also filetypes as .zip, wolff, etc. If you run a scan in /home directory (clamscan -r --bell -i /home), you will see.
ClamAV must push out some new signature/db files.

Meanwhile you can disable ClamAV or whitelist/ignore the signature it. I have a one-command for you guys (for directadmin)

Login as root and execute this:

Code: 
echo "Win.Exploit.CVE_2019_0903-6966169-0" >> /usr/local/share/clamav/whitelist-local.ign2

This would whitelist the signature meanwhile ClamAV pushout a fix! Try to run another scan
Code: 
clamscan -r --bell -i /home
- and voila! no false positive alerts!

:rolleyes:
Click to expand...

Your code did not work for me, maldet/clamav still returned hits. So I looked it up and found this: https://www.clamav.net/documents/how-do-i-ignore-whitelist-a-clamav-signature - at that page it says to create a file with this file name: whitelist.ign2

So I changed the command so that instead of creating whitelist-local.ign2 it would create whitelist.ign2, and then run maldet again, and then it worked with no hits/infections.

I don't understand why the file whitelist-local.ign2 works for you?

Edit: Maybe the reason was that I did not restart clamav and exim after creating the file? Looking closer at it, it seems that is needed. Anyway it works correct for me using whitelist.ign2 so I will continue using that file name.
 
Last edited:
lowprofile said:
This issue is not only related to *.pdf but also filetypes as .zip, wolff, etc. If you run a scan in /home directory (clamscan -r --bell -i /home), you will see.
ClamAV must push out some new signature/db files.

Meanwhile you can disable ClamAV or whitelist/ignore the signature it. I have a one-command for you guys (for directadmin)

Login as root and execute this:

Code: 
echo "Win.Exploit.CVE_2019_0903-6966169-0" >> /usr/local/share/clamav/whitelist-local.ign2

This would whitelist the signature meanwhile ClamAV pushout a fix! Try to run another scan
Code: 
clamscan -r --bell -i /home
- and voila! no false positive alerts!

:rolleyes:
Click to expand...

Thanks for your solution! I just add "Win.Exploit.CVE_2019_0903-6966169-0" to the CLAM whitelist and temporarily "SOLVED" the problem. Hope CLAM will push the new signature file very soon to solve this false positive. Many complain from our customer. Sigh! :(
 
Thank you for the information! :) we also have this problem. So I did:

echo "Win.Exploit.CVE_2019_0903-6966169-0" >> /usr/local/share/clamav/whitelist-local.ign2

and the problem is 'gone' for now. I hope ClamAV comes very soon with a fix.
 
You must log in or register to reply here.
Back
Top