ZCS 6.0.4: ClamAV detects virus in clean .exe, but only sometimes?

[Pascal]

Hi there,

I have a quite weird problem here.

Before I start: My boss _really_ wants to send and receive exe files, and I couldn't convince him otherwise, so, as much as I would like to just let my users host their files somewhere on the internet and only mail a link, that is not possible.

So, I made sure that amavis doesn't ban .exe extensions and mailed some of them around to make sure it works.

So today, I got an angry mail in my inbox, saying that he wasn't able to send around .exe files. He attached the error message:

Code:

VIRUS ALERT

Our content checker found
    virus: Encrypted.Zip

in an email to you from probably faked sender:
  ?@[79.224.xxx.xxx]
claiming to be: <xxx@xxxx.de>

Content type: Virus
Our internal reference code for your message is 14233-07/XxeEgH3XtiP3

First upstream SMTP client IP address: [79.224.xxx.xxx]
  pxxxxxxxx.xxx.t-dialin.net
According to a 'Received:' trace, the message apparently originated at:
  [79.224.xxx.xxx], [192.168.xxx.xxx] pxxxxxxx.xxx.t-dialin.net [79.224.xxx.xxx]

Return-Path: <xxx@xxxx.de>
From: "xxxxxxxxxxxxxx" <xxx@xxxx.de>
Message-ID: <4B560C94.8070101@xxxx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5)
  Gecko/20091204 Thunderbird/3.0
Subject: fsfsdfsd
The message has been quarantined as: virus-XxeEgH3XtiP3

Please contact your system administrator for details.

Weird... It wasn't a zip file.

And I am perfectly able to send around exe files using the Zimbra web client.

Does this make any sense to you? Maybe there is something wrong with his mail client?


thanks,
Pascal

[uxbod]

Would you find the entries in /var/log/zimbra.log for the SMTP transactions and post the details so we can see what Amavis was doing.