I'm hoping some of you can shed some insight on these questions related to the workings of ClamAV and Cyren AV.
1a. Under Security > Antivirus Administration > Options there is a setting for Virus Quarantine with options of None, 15 days, and 30 days. For the 15/30-day settings, I'm assuming that offending messages are sent to the Virus Quarantine for that number of days, after which they are simply deleted. Is that correct?
1b. What happens to the messages if the Virus Quarantine setting is set to None? Are the messages deleted? Sent to the recipient's mailbox? Tagged in some way?
1c. To which mechanisms does the Virus Quarantine setting apply? ClamAV? Cyren? Both? It appears to be generically listed under Options in the Antivirus section, however Cyren has it's own set of options for Virus, High, and Medium results; ClamAV on the other hand, has no options for how to handle offending messages. How does the Virus Quarantine fit into the picture.
2. Are messages that are sent to the Virus Quarantine automatically rescanned periodically and potentially sent on to the recipient (e.g., a bad signature update results in false-positives; new signature update corrects the issue; are the messages that reside in the Virus Quarantine automatically rescanned using the updated signatures in order to potentially release previously detected false-positives)?
3. Are senders and/or recipients notified in any way when a message is detected by ClamAV, detected by Cyren, and/or sent to the Virus Quarantine?
4a. Is there some way for recipients to review/release messages that have been sent to the Virus Quarantine, or is review of the Virus Quarantine exclusive to the System Administrator?
4b. If review of the Virus Quarantine is exclusive to the System Administrator, how are you handling this? With SM v12, I was seeing enough false positives in the Virus Quarantine that I needed to review it on a daily basis. Thus far with SM v15 (upgraded early this morning), I'm seeing significantly more activity in the Virus Quarantine than with SM v12. I'm assuming this is related to the implementation of ClamSup. Much of it appears to be legitimate blockage, but not necessarily virus-related even though that's what it's being flagged as in the Delivery log. This is problematic in the sense that spam detected via the AntiSpam mechanisms lands in Junk Email for users to deal with. Spam detected by ClamAV appears to land in the Virus Quarantine where it seems that I have to deal with it. There remain enough false-positives that I will need to review the Virus Quarantine on a daily basis, if not multiple times per day due to the increase in messages quarantined, but now I have more messages to wade through than before. How do you manage this?
5. How does the ClamAV / Cyren setup work? Which scan occurs first? Do all messages go through both mechanisms, or if the first mechanism detects a virus, does it skip the second mechanism?
6. Is there an easy way for me to see statistics about how many messages are detected by each of ClamAV and Cyren Zero-hour Antivirus? I found...
Reports > Dashboards > System Statistics > Security shows how many viruses have been deleted, but doesn't give any indication of which mechanism detected them.
Reports > System Summary Reports > Spam and Virus Reports > Viruses shows me virus counts detected by domain, further broken down by user, but again doesn't give any indication of which mechanism detected them.
Reports > System Trend Reports > Traffic Reports > ClamAV shows me ClamAV connections, but there isn't any info about number of viruses detected.
Reports > System Trend Reports > Spam and Virus Reports > Viruses shows me virus counts by day, but there is no indication of which mechanism detected them.
Reports > System Trend Reports > Spam and Virus Reports > Cyren Zero-hour Antivirus shows me a breakdown of Virus, High, Medium results for Cyren, which is potentially useful, but questions...are these the messages that passed through ClamAV undetected and were then detected by Cyren, or do all messages pass through Cyren regardless of ClamAV, and this is what Cyren detected regardless of whether ClamAV detected them as well?
Interestingly, in running this report from 7/14/15 through 7/13/16 (1 year), Cyren has detected a total of TWELVE Virus/High/Medium results. This doesn't seem reasonable to me at all. We've been running SM v12 with Commtouch AV until today (now SM v15 with Cyren AV), but still...12 detections in an entire year? It seems unlikely to me that we would be that immune to seeing viruses. Are viruses being blocked before Commtouch/Cyren scans them, and thus not detected by Commtouch/Cyren? Are viruses coming in and passing through both ClamAV and Commtouch/Cyren undetected?
We haven't received complaints from users about viruses getting through, but twelve virus detections in an entire year simply isn't worth $450/year (cost of Cyren AV). If I disable ClamAV, should I see an increase in Cyren detections.
I feel like I need to see more detail about what's actually happening, but I'm not sure where to look for it. I can see ClamAV detections in the delivery log. Are the Cyren detections/blocks logged somewhere as well?
Any/All thoughts and suggestions are welcome.