Am 28.11.2017 um 01:24 schrieb Curtis Vaughan:
Using clamav on an Ubuntu Server postfix system. We have an issue where
so far just Excel (xlxs) files are getting false flagged as having the
following virus:
250 2.7.0 Ok, discarded, id=14037-01 - INFECTED:
Emf.Exploit.CVE_2017_16395-6376329-0
Virus scanner output:
p003: Emf.Exploit.CVE_2017_16395-6376329-0 FOUND
p005: Emf.Exploit.CVE_2017_16395-6376329-0 FOUND
Having searched up information I found it's probably easiest just to
whitelist this signature. However, whatever I do doesn't seem to work.
I have added CVE_2017_16395-6376329-0
to a file at /var/lib/clamav/whitelist.ign2 as well as to
whitelist-signatures.ign2 since there are references out on the internet
to name the file one way or the other. Since it wasn't working, I
changed user and group to clamav on these files. I also reloaded
clamav-daemon. But still the files are quarantined as infected.
Any other clues?
CVE_2017_16395-6376329-0 != Emf.Exploit.CVE_2017_16395-6376329-0
it don't matter how the ign2 file is named because that way you can have
distributed ones like from sancesecurity and your owns as you have the
same way different sigfiles from different sources with the same extension
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
