Topic: clamav false positives with zip files, someone else is noticing the same?

[albatroz]

I have noticed that the clamav installation inside SME server is giving me
some false positives. For instance when someone sends me several files inside
a zip file it is detected as a virus infected file.

Is someone else suffering the same issue?

Thanks in advance

[albatroz]

Just adding more info about this issue:

the sender received when the email bounced
190.41.24.200 failed after I sent the message.
Remote host said: 552 Virus Found: Oversized.Zip

We are using SME 7.2

[Stefano]

from a quick googling I've found:

Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it's considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting.

look for ArchiveMaxCompressionRatio, ArchiveMaxFileSize, ArchiveMaxFiles, ArchiveMaxRecursion in /etc/clamd.conf

and, of course, man clamd.conf

HTH

Ciao

Stefano

[albatroz]

Are those files templated?

[Stefano]

Are those files templated?

it's only one file: /etc/clamd.conf

yes, it's templated..

Ciao

Stefano

[Normando]

Are those files templated?

Please, see
http://wiki.contribs.org/DB_Variables_Configuration#Clam_AntiVirus_.28clamav.29

Also check if you have select some files under Ativirus - server-manager. Please, not check the last two zip files.