2
AntiVirus Quarantine No Longer Working
Problem reported by Scarab - 11/19/2018 at 10:58 AM
Submitted
We've always gotten a number of "Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host." errors in our POP & IMAP logs before. It can always be attributed to a user's AntiVirus software (Norton, Sonic Firewall, Windows Defender, etc.) not liking a particular email message and terminating the session. Sometimes a message with a virus gets past ClamAV and delivered to a user's Inbox by SM, and sometimes it is just a false-positive.

However, as of SM v16.3.6885 we've been getting an unusually high number of these:

[2018.10.30] 15:03:26 [208.74.109.150][49043159] Exception: (PooledTcpItem.cs) Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
[2018.10.30] 15:03:26 [208.74.109.150][49043159] StackTrace:    at System.Net.Sockets.NetworkStream.BeginRead(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback callback, Object state)
[2018.10.30]    at System.Net.FixedSizeReader.StartReading()   at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)   at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)   at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)   at System.Net.Security._SslStream.BeginRead(Byte[] buffer, Int32 offset, Int32 count, AsyncCallback asyncCallback, Object asyncState)   at MailService.TcpServerLib.Common.PooledTcpItem.BeginReceive()15:03:27 [208.74.109.150][884751] disconnected at 10/30/2018 3:03:27 PM
Looking at the MANAGE > SPOOL > QUARANTINE there have been no messages quarantined for the past 11 days which happens to be when we upgraded to v16.3.6885, although REPORTS > VIRUSES CAUGHT shows normal stats and that 1500 messages should have been quarantined during this time period. Our SETTINGS > ANTIVIRUS > VIRUS QUARANTINE is still set to "15 Days".

Of course we can instruct our users to disable the active scanning of their Mail in their AV software or firewall, but this should be a rare exception to the rule rather than the rule itself. They shouldn't be getting all the messages that have been successfully flagged by ClamAV as containing a virus in the first place.

1 Reply

Reply to Thread
0
Scarab Replied
Also, is there a log that can be grepped to pull a list of the 1500 emails that were scanned positive by ClamAV that weren't quarantined so that they can be removed manually from customer Inboxes?

Reply to Thread