Virus Blocker Lite blocking new Microsoft Office installs

[Frick]

When you try to install Office you get an error message that the install fails and signature verification can not be completed.

When looking in untangle you see that virus blocker lite has new hits:

virus_blocker_lite_name
Win.Adware.Browsefox-12535(0122bab0a42f8dcb58553c1844478dd0:18299931)


Disabling virus blocker lite allows for the install to complete.

[Sahne]

Disabling Virus Blocker is not the recommended solution.
Keep in mind Virus Blocker also blocks any updates for Office 2016 which means you would have to disable your Virus Blocker on a regular basis this will put your environment in risk for actual threats. Just simply add this URL *officecdn.microsoft.com in Pass Sites under Virus Blocker Lite and no more problems installing or updating Office 2016 in your environment.

[KTurner]

Getting thousands of Alert messages for what we believe is a legitimate Microsoft Office update. Hesitant to add to the passlist since it could be infected. Any ideas?

An following event occurred on the Untangle Server @ 2016-02-12 04:29:17.606

HTTP virus blocked:
Virus Blocker Lite found virus [Win.Trojan.Bancos-2115(4e91082206f322625de0c78af83317b2:649531)] http://officecdn.microsoft.com/pr/49...68/i321033.cab

[jcoffin]

It's a known issue with Clam (Virus Blocker Lite). Until Clam revises their ruleset to handle this false positive, I would add the Microsoft sites to the pass list.

[KTurner]

thanks

[ferb]

Same here, I received over 5000 email notifications today because it says that Microsoft Office update is a virus.

[jcoffin]

Obviously everyone will get the same false positive.

[CLStech]

So, we added the exception as soon as we started getting the alerts. That was on 2-15-16. I'm still getting alerts with a time stamp for that date (below). We got 1000 this weekend from two specific boxes. The alerts are only from that morning we started getting alerts. Is there a way to clear this out? We've rebooted them, disabled and re-enabled virus blocker, but no change.

An following event occurred on the Untangle Server @ 2016-02-15 07:36:20.211
HTTP virus blocked:
Virus Blocker Lite found virus [Win.Trojan.Bancos-2115(4e91082206f322625de0c78af83317b2:649531)] http://officecdn.microsoft.com/pr/49...e/Data/v32.cab

{"timeStamp":"2016-02-15 07:36:20.211","clean":false,"requestId":95202791221737,"tag":"uvm[0]: ","nodeName":"virus_blocker_lite","class":"class com.untangle.node.virus.VirusHttpEvent","virusName":"Win.Trojan.Bancos-2115(4e91082206f322625de0c78af83317b2:649531)","partitionTablePostfix":"_2016_02_15"}

This is an automated message sent because the event matched the configured Alert Rules.

[CLStech]

We went in and changed the reporting retention time to one day to try to stop it and it seemed to fix the problem on one, but we still have one sending a couple hundred alerts a day from 2-15-16. Any ideas how to get rid of the old messages?

[YeOldeStonecat]

I ended up pulling VB Lite from all our Untangle installs (about 40 of 'em). I know Clam isn't the best of antivirus programs...quite on the opposite end of the spectrum. But it's simply blocking way too much with these false positives. It's not just a handful that we can go add into the pass list...we'd have to go hire additional full time staff to go around and add all of the addresses to the white list, and maintain it each day with new entries. Those that support businesses (which Untangle aims for as their target client)....have to support Office 365, which is on the rise to dominate e-mail for businesses. ClamAV is blocking the authentication for O365 too. We're getting slammed with calls lately for O365 issues...and I see the block alerts in AV-Lite...so I just pull it now from the rack. Problems go away.