In the last couple of days, Zimbra Support is getting reports that certain *.xls attachments are causing false positives.
In the /var/log/zimbra.log, sites are seeing the following:
Blocked INFECTED (BC.Exploit.CVE_2011_3412)
Zimbra has submitted headers from a couple of false positives.
If you are seeing the 'Blocked INFECTED (BC.Exploit.CVE_2011_3412)' line in zimbra.log, please send the headers of the message to ClamAV.
ClamAV is a separate company from VMWare/Zimbra, and we will not know when ClamAV will resolve the issue.