Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

How to disable / ignore Heuristics.Encrypted.PDF ?

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


mkathuria at tuxtechnologies

Jul 10, 2011, 11:08 PM

Post #1 of 6 (6841 views)
Permalink
How to disable / ignore Heuristics.Encrypted.PDF ?

We are using clamd along with amavisd-new for scanning emails and the
messages having PDF attachments with password protection are being
blocked with the alert :

INFECTED, message contains virus: Heuristics.Encrypted.PDF

Since most of these password protected PDFs are important documents
like bank statements, I want to skip this particular check. I have
tried various permutations but could not figure out the exact
parameter which can be used in clamd.conf file to exclude this
specific category. I also created a local.ign2 file in the virus
database directory with the a single line containing the term
Heuristics.Encrypted.PDF in it but it had no effect.

Any suggestions ?

Thanks,
--
Manish Kathuria
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


asa at isac

Jul 10, 2011, 11:14 PM

Post #2 of 6 (6791 views)
Permalink
Re: How to disable / ignore Heuristics.Encrypted.PDF ? [In reply to]

Dear Manish,

I also encountered the same problem and had reported this problem in
the mailing list. Following is the comment which I received (from
developer).

-----
On Mon Jun 20 2011 13:40:06 GMT+0200 (CET)
ANANT S ATHAVALE <asa [at] isac> wrote:
Dear Tomasz Kojm,

But by setting ArchiveBlockEncrypted = off, I will not be able to detect
even encrypted zip, am I right?
Yes, you're right. However please keep in mind we create sigs for
encrypted malware, so you should still be able to catch real threats.
May be I should disable ScanPDF?
This will disable the PDF parser, which is required for most sigs for
PDF malware. Disabling ArchiveBlockEncrypted will be more safe.
-----------

Based on this feedback, I have disabled ArchiveBlockEncrypted.

For details, read the thread with following subject in mailing list.

"How to disable blocking Encrypted.pdf alone"

Regards,
ANANT.

--
----- Message from mkathuria [at] tuxtechnologies ---------
Date: Mon, 11 Jul 2011 11:38:03 +0530
From: Manish Kathuria <mkathuria [at] tuxtechnologies>
Reply-To: ClamAV users ML <clamav-users [at] lists>
Subject: [clamav-users] How to disable / ignore Heuristics.Encrypted.PDF ?
To: clamav-users [at] lists


> We are using clamd along with amavisd-new for scanning emails and the
> messages having PDF attachments with password protection are being
> blocked with the alert :
>
> INFECTED, message contains virus: Heuristics.Encrypted.PDF
>
> Since most of these password protected PDFs are important documents
> like bank statements, I want to skip this particular check. I have
> tried various permutations but could not figure out the exact
> parameter which can be used in clamd.conf file to exclude this
> specific category. I also created a local.ign2 file in the virus
> database directory with the a single line containing the term
> Heuristics.Encrypted.PDF in it but it had no effect.
>
> Any suggestions ?
>
> Thanks,
> --
> Manish Kathuria
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>


----- End message from mkathuria [at] tuxtechnologies -----



Regards,

Anant Athavale.

------------------------------------------------------------------------------
Confidentiality Notice: This e-mail message, including any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
------------------------------------------------------------------------------

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Jul 10, 2011, 11:15 PM

Post #3 of 6 (6783 views)
Permalink
Re: How to disable / ignore Heuristics.Encrypted.PDF ? [In reply to]

On 2011-07-11 09:08, Manish Kathuria wrote:
> We are using clamd along with amavisd-new for scanning emails and the
> messages having PDF attachments with password protection are being
> blocked with the alert :
>
> INFECTED, message contains virus: Heuristics.Encrypted.PDF
>
> Since most of these password protected PDFs are important documents
> like bank statements, I want to skip this particular check. I have
> tried various permutations but could not figure out the exact
> parameter which can be used in clamd.conf file to exclude this
> specific category. I also created a local.ign2 file in the virus
> database directory with the a single line containing the term
> Heuristics.Encrypted.PDF in it but it had no effect.
>
> Any suggestions ?

In clamd.conf:
ArchiveBlockEncrypted no.

Or you can try this patch (which will be in 0.97.2):
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2988#c1

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mkathuria at tuxtechnologies

Jul 10, 2011, 11:26 PM

Post #4 of 6 (6790 views)
Permalink
Re: How to disable / ignore Heuristics.Encrypted.PDF ? [In reply to]

2011/7/11 Török Edwin <edwin [at] clamav>:
> On 2011-07-11 09:08, Manish Kathuria wrote:
>> We are using clamd along with amavisd-new for scanning emails and the
>> messages having PDF attachments with password protection are being
>> blocked with the alert :
>>
>> INFECTED, message contains virus: Heuristics.Encrypted.PDF
>>
>> Since most of these password protected PDFs are important documents
>> like bank statements, I want to skip this particular check. I have
>> tried various permutations but could not figure out the exact
>> parameter which can be used in clamd.conf file to exclude this
>> specific category. I also created a local.ign2 file in the virus
>> database directory with the a single line containing the term
>> Heuristics.Encrypted.PDF in it but it had no effect.
>>
>> Any suggestions ?
>
> In clamd.conf:
> ArchiveBlockEncrypted no.
>
> Or you can try this patch (which will be in 0.97.2):
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2988#c1
>
> Best regards,
> --Edwin
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>


Thanks Edwin and Anant. Since I searched for the keyword Heuristics
.Encrypted​.PDF, I missed the earlier message related to PDFs.

--
Manish
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


paul at netpresto

Aug 19, 2011, 10:33 AM

Post #5 of 6 (6409 views)
Permalink
Re: How to disable / ignore Heuristics.Encrypted.PDF ? [In reply to]

Hi

Still having problems with some PDF's being flagged as Heuristics.Encrypted.PDF
even with version 0.97.2. Version 0.97 does not have this problem.

Example PDF which is not encrypted available if required.

Regards .
P Enlund
At 09:15 11/07/2011 +0300, you wrote:
>On 2011-07-11 09:08, Manish Kathuria wrote:
> > We are using clamd along with amavisd-new for scanning emails and the
> > messages having PDF attachments with password protection are being
> > blocked with the alert :
> >
> > INFECTED, message contains virus: Heuristics.Encrypted.PDF
> >
> > Since most of these password protected PDFs are important documents
> > like bank statements, I want to skip this particular check. I have
> > tried various permutations but could not figure out the exact
> > parameter which can be used in clamd.conf file to exclude this
> > specific category. I also created a local.ign2 file in the virus
> > database directory with the a single line containing the term
> > Heuristics.Encrypted.PDF in it but it had no effect.
> >
> > Any suggestions ?
>
>In clamd.conf:
>ArchiveBlockEncrypted no.
>
>Or you can try this patch (which will be in 0.97.2):
>https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2988#c1
>
>Best regards,
>--Edwin
>_______________________________________________
>Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Aug 19, 2011, 11:17 AM

Post #6 of 6 (6409 views)
Permalink
Re: How to disable / ignore Heuristics.Encrypted.PDF ? [In reply to]

On 2011-08-19 20:33, Paul Enlund wrote:
> Hi
>
> Still having problems with some PDF's being flagged as Heuristics.Encrypted.PDF
> even with version 0.97.2. Version 0.97 does not have this problem.
>
> Example PDF which is not encrypted available if required.

Please open a bug and attach it (attachments are private by default).

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.