'Virus Found' Event Email...being classed as a virus?!
Problem reported by CCWH - August 13, 2015 at 5:40 AM
Submitted
Hello all,
 
We seem to be getting a very weird issue.  We have an event set up (SM 14 Ent - Settings > Events > Events) which notifies the inbound recipient an email has been quarantined due to a Virus attachment.  This sends only to our clients and does not notify the sender...for obvious reasons.
 
So, a 'Virus Found' event triggers.  It quarantines the virus (or deletes) and then sends the email to the recipient.  The issue is that sometimes, not all of the time, that very System Email is quarantined!  So, it shows within Manage > Spool > Virus Quarantine.
 
If we try to force send it just reappears.
 
All I can find in the logs is:
 
[2015.08.12] 03:36:54 [68627] Delivery started for Email_Security@OurDomain.com at 03:36:54
[2015.08.12] 03:37:00 [68627] This message has been quarantined because a virus was found.
 
The following shows one of the event emails going through without an issue:
 
[2015.08.12] 10:24:56 [68756] Delivery started for Email_Security@OurDomain.com at 10:24:56
[2015.08.12] 10:25:02 [68756] Skipping spam checks: User authenticated
[2015.08.12] 10:25:05 [68756] Starting local delivery to username@ClientDomain.com
[2015.08.12] 10:25:05 [68756] Delivery for Email_Security@OurDomain.com to username@ClientDomain.com has completed (Delivered) Filter: None
[2015.08.12] 10:25:05 [68756] End delivery to username@ClientDomain.com
[2015.08.12] 10:25:05 [68756] Delivery finished for Email_Security@OurDomain.com at 10:25:05    [id:67768756]
 
The only thing I can think of is that for some reason the system (CLAMAV) doesn't like the event email containing the virus name.  However, most of these event emails get through and it's just a minority that end up in the quarantine.
 
We have seen this on multiple SM 14.1 Enterprise servers.
 
Anyone seen this before?
 
 
**EDIT**
 
This is a copy of the Event Email:
 
Please be advised:
 
The email message from #fromaddress# to #toaddress#, titled '#subject#', contained the #virusname# virus. For your safety the email and attachment has been deleted.
 
If you believe this to be a legitimate email please contact the sender.
 
Regards
 
Our Company Details

2 Replies

Reply to Thread
0
We're still getting this issue. Anyone got any thoughts on this one? Just don't understand how a local Event email can go through virus checks and placed in quarantine with no attachments!
1
This looks like a bug.  I'd suggest you submit a support ticket.
 
-Joe
 
Thanks,
-Joe

Reply to Thread