Unfortunately, some clamav signatures generate a lot of false positives such as the YARA docx_macro signature that just checks whether an office document contains macros regardless whether the macro is intentional or a virus.
To disable signatures, create a file in the clamav signature database directory (to be found on Debian at /var/lib/clamav/local.ign2
) containing signature names line-by-line. For instance, to stop YARA from flagging office documents with macros as viruses, add the line:
docx_macro
to the newly created file.