[SOLVED] Every new message is flagged with Exploit.PDF-9669 - Nothing getting through

[Cheakamus]

As of 3:30 this afternoon all messages started getting tagged with Exploit.PDF-9669 and quarantined. The server is 5.0.2_GA_1975.UBUNTU6. I ran some google searches for that message, but no luck.

Help.

[omniplex]

I'm actually having the same issue, but have not found a solution yet.

[mfuentes]

I'm having the same issue help!!!

[emoss]

We started at 3:30 pst as well - thought it was a server problem at first. After some digging, I found something that said that it had to do with HTML emails. After sever attemts at emailing myself and getting the message :

Attention! The message was sent with
VIRUS: Exploit.PDF-9669

I changed the email format from HTML to plain text and it went through.

So, is it a local virus on the users pc's? NOD32 doesn't seem to find it???

[omniplex]

Ok, I found the issue.
Looks like it is related to clamav and I am guessing it's because of an update.
I edited /opt/zimbra/data/clamav/db/daily.inc/daily.hdb and removed the third from the last line that reads d41d8cd98f00b204e9800998ecf8427e:0:Exploit.PDF-9669

This so far has resolved my problem until the next freshclam update.
Older versions of zimbra might have the file in /opt/zimbra/clamav/data/db/daily.inc/daily.hdb

[omniplex]

Just a note that removing this will cause it not to match if there is a virus. In my case the false positive is worse then someone getting the virus.
Just a warning, but this appears to be broken anyway so.....

[anuff]

We have the same issue. When sending mail from Zimbra out to an external mail account neither our SPI firewall nor the AV filters at the receiving end are picking up anything. We've disabled the AV filter service in Zimbra and mail is now flowing as you'd expect.

[omniplex]

I posted 2 other posts, but they are not appearing.
If they do, sorry for the duplicates.

I found the issue to be with clamav, most likely due to an update.
I edited /opt/zimbra/data/clamav/db/daily.inc/daily.hdb
and removed the line d41d8cd98f00b204e9800998ecf8427e:0:Exploit.PDF-9669 which was third from the bottom.

In older Zimbra installations it might be in /opt/zimbra/clamav/db/daily.inc/daily.hdb. You will need to restart zimbra or just the AV portion.

[omniplex]

Ok, well, that posted.
Sorry for that if someone could just merge them into one that would be great. I tried several times to do a single response but they just disappeared.
Hope that helps.

[anuff]

Quote:

Originally Posted by omniplex

I will put it in parts.
Edit the file "/opt/zimbra/data/clamav/db/daily.inc/daily.hdb". Was the third from the last line for me. Restart Zimbra.

Quote:

Originally Posted by omniplex

The line you want to remove should read "d41d8cd98f00b204e9800998ecf8427e:0:Exploit.PD F-9669"..

Thanks Omniplex... I think I'm going to wait and see if the next update of CLAM is better. Somehow I've got a sinking feeling that if I fix this now, I'll just fix it again after the next update.