[SOLVED] ClamAV false positive

[ryandball]

Hi all, looking for an answer (not found yet via Google).

We run 5.0.8_GA_2462 FOSS on Ubuntu 6.06 LTS (most likely going to get the commercial version of Zimbra, not sure yet). This morning our HR Manager tried to upload her encrypted 401(k) file to the 401(k) provider and ClamAV sent me a message stating that the file had a virus in it, then deleted her email. I had her try this twice to be sure. I scanned the same file myself with our corporate virus scanner (InoculanIT) and also submitted the file to Virustotal who scanned it with 36 virus scanners, and all came up clean so I think it's a false positive. What should I do, short of disabling AV altogether? Our firewall does provide AV scanning as well for the policy that handles email, so if I disabled ClamAV it would still be protected but I'd rather not of I can help it.

Thanks in advance!

Ryan

[Nox]

I am experiencing this same problem. I think I have tracked it down to this option in clamav:

"Block encrypted archives"

As detailed here:

stopping clamav detecting encrypted zip files

ClamAV Antivirus


However, I am not sure how to modify this option in the Zimbra packaged version of clamav. Any help is greatly appreciated as we send password protected zip files regularly.

[jrefl5]

Try checking in the Administration console. under Global Settings, AS/AV tab.

There is a check box for this.

[ryandball]

Yes I found that option and it fixed it, thanks!

[Nox]

That was so simple I feel silly. Thank you!