Results 1 to 4 of 4

Thread: AV Catching Only a Few Attachments

  1. #1
    Join Date
    Jul 2011
    Rep Power

    Default AV Catching Only a Few Attachments

    Spent hours today looking for a solution and I'm pretty confused, so I hope this makes sense.

    I am running ZCS 7.x
    AV is set to not block encrypted attachments, PDFs generally come through fine.

    Problem: Few, maybe 2 per week, non-encrypted PDFs, get marked as having a Virus, always from known and trusted individuals. Is there a way to whitelist just these known individuals and get these through?
    — OR —
    I would even be happy to be able to "release" these manually to the recipients, but the various methods described in these forums, don't work for me. The quarantined files do not show up in the /opt/zimbra/data/amavisd/quarantine folder. I can't find where Zimbra is putting these quarantined files that it notifies me of. The quarantine folder does have files, all starting with "badh" or "banned", but none that start with "virus", which is what the notification email tells me the filename will be.

    Are locations different in ZCS 7? I've done full file searches for the virus filename and can't locate it. Are they stored in MySQL now?

    Any way to "release" these or whitelist known users so their attachments always come through?



  2. #2
    Join Date
    Sep 2012
    Rep Power


    Sorry that this message isn't going to provide any help. I have the same/similar issue.

    Release methods might work, but the problem is finding the message.

    All messages in the /opt/zimbra/data/amavisd/quarantine folder start with badh- and then 12 alphanumeric characters. But, nothing in the message received is the same as any file in the quarantine. The message is in the inbox of the virus-quarantine user in Zimbra, but forwarding it fails (still gets virus scanned), and nothing in the header (even the X-Quarantine-ID matches anything in the names of the files in the quarantine folder.

    The virus messages says something like:


    Our content checker found
    virus: Heuristics.Encrypted.PDF

    in an email to you from probably faked sender:
    ?@[IP Address]
    claiming to be: <user@domain.tld>

    Content type: Virus
    Our internal reference code for your message is 5digits-2digits/12AlphaNumeric

    First upstream SMTP client IP address: [IPAddress] server.domain.tld
    According to a 'Received:' trace, the message apparently originated at:
    [IPAddress], server.domain.tld server.domain.tld [IPAddress]

    Return-Path: <user@domain.tld>
    From: user@domain.tld
    Message-ID: blah.blah.blah
    X-Mailer: Zimbra 7.2.0_GA_2681 (ZimbraWebClient - FF3.0 (Win)/7.2.0_GA_2681)
    Subject: stuff
    The message has been quarantined as: user@domain.tld

  3. #3
    Join Date
    Mar 2012
    Rep Power


    Im in the same boat.. its really frustrating that there's nothing in the catch message to give you a hint as to which message it is.. lame.

  4. #4
    Join Date
    Jun 2011
    Caracas Venezuela
    Rep Power


    Hello, check $final_virus_destiny in by default have a DISCARD defaut value.

    The message it's actually in the account.

    Last edited by ccelis5215; 11-13-2012 at 07:02 PM. Reason: quarantine account

Similar Threads

  1. Auto catching from @domain and bcc to user
    By nyu in forum Administrators
    Replies: 1
    Last Post: 07-20-2011, 06:51 PM
  2. Banned file type catching PPTX as wmf
    By bowergo in forum Administrators
    Replies: 8
    Last Post: 06-17-2010, 12:48 PM
  3. Zimbra Desktop Spell Checker not catching most errors
    By christinesf in forum General Questions
    Replies: 14
    Last Post: 10-21-2009, 10:42 AM
  4. Zimbra Desktop Spell Checker not catching most errors
    By christinesf in forum Error Reports
    Replies: 0
    Last Post: 05-30-2009, 06:47 PM
  5. Replies: 4
    Last Post: 12-30-2008, 04:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts