virus detected, but not blocked

[sangamc]

Hello everyone,

I am having a strange issue with 2 of my zimbra servers. An email comes in with a virus. It shows in the log virus detected in attachment, but the virus email is not always blocked. Sanesecurity detected attachments still get delivered to the inbox.

What is extra strange is the virus mailbox on the server also gets a copy of the email and the header is even modified to show a virus is detected, but my users are still getting them mails.

A big concern because we are in healthcare and get targeted by cryptolocker ransomware almost every week


Sat Mar 16 23:37:35 2019 -> /opt/zimbra/data/amavisd/tmp/amavis-20190316T233013-55170-60PcX0HL/parts/p003: Sanesecurity.Malware.27423.PdfHeur.UNOFFICIAL FOUND


Release 8.8.9_GA_2055.RHEL6_64_20180703080917 RHEL6_64 FOSS edition, Patch 8.8.9_P9
clamav 0.101.1 installed, but still reporting 0.99 ??? not sure why but something to do with zimbra 8.8.9?
unofficial sigs 5.6.2 installed

[sangamc]

Digging a little more. It looks like some of the unofficial definitions are working and the email is getting blocked with a notification going out to the admin and the user. Other definitions under sane security are detecting and showed in the logs, but not getting blocked.

Where do I need to look to make sure all detection's lead to the email getting blocked?

[diegojk]

Hello, I have the same problem, virus is detected and show in clamd.log but not blocked:
Wed Jan 22 18:57:39 2020 -> /opt/zimbra/data/amavisd/tmp/amavis-20200122T185617-11080-bjBOFuXA/parts/p006: Sanesecurity.Badmacro.Xls.formobhop.UNOFFICIAL FOUND


Do you find any solution?