Back to Community Threads
6
This message has been quarantined because a virus was found (Win.Exploit.CVE_2019_0903-6966169-0)
Problem reported by Alex Hee - 5/27/2019 at 12:34 AM
Resolved
Not sure what is wrong with the SmarterMail. Started since 26th May it detected above virus on some emails with PDF file even though the email is not affected by viruses.

The temporary solution is to disable ClamAV. Any idea what is happening?

22 Replies

Reply to Thread
0
Simone Schilirò Replied
5/27/2019 at 12:50 AM
Same problem here
0
Patrick Kraus Replied
5/27/2019 at 12:52 AM
We have had to disable Clam as well. It appears that this is a false positive and has been reported widely across multiple forums.

We are enabling clam every 2 hours and running the update to see if any updated have been released by them but have had no luck as of yet.

The other option would be to white-list the signature but I dont thing this is an option for this setup of Calm.
0
Manuel Martins Replied
5/27/2019 at 1:25 AM
Same problem here!
0
Ng Cher Choon Replied
5/27/2019 at 2:25 AM
Same problem here. Some domains can send out the attachment successfully but many domains have the above problem sending the same attachment. This affects mainly the PDF attachment.
0
Gonzalo Varela Rua Replied
5/27/2019 at 2:55 AM
Also here
0
CTL Replied
5/27/2019 at 4:48 AM
Support Team should review the issue, We have similar issue faced  some of our clients.

Any relation between Zero day vulnerability  from Microsoft patch ?


Thanks
1
William Fock Replied
5/27/2019 at 10:29 AM
Seems like someone has mentioned it's fixed 4hrs ago. (ard 1035pm SGT time) +0800
0
Kyle Kerst Replied
5/28/2019 at 10:39 AM
Employee Post
This issue does appear to be a false positive problem introduced by a ClamAV signature update as best we can tell. I have tested with the updated signatures (this morning) and I am no longer seeing the same failures, which is in line with William's comment above. To test this in your own environment, head over to Settings>Antivirus and use the menu to update the ClamAV Virus Definitions. At that point you should be good to enable the ClamAV scanning again. Please monitor for any further issues as well. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Manuel Martins Replied
5/28/2019 at 11:33 AM
Yeasterday afternoon ClamAV updated it's database and after that the problem was solved.
0
LeapSwitch Networks Replied
5/28/2019 at 12:13 PM
How do we retry the quarantined emails ?
2
Manuel Martins Replied
5/28/2019 at 2:02 PM
On the "Virus Quarantine" option just select the emails and then go to the button with the three dots and choose "Resend"
0
LeapSwitch Networks Replied
5/28/2019 at 2:34 PM
I am aware of the resend option, but how do I find out which emails were quarantined for this issue ?
0
Alex Hee Replied
5/28/2019 at 5:35 PM
Confirmed the issue has been resolved with yesterday updated virus pattern. For those who want to restore the quarantine email just go to Spool - Virus Quarantine & filtered quarantine emails based on date (25-29 May) . Then select emails that you wanted & resend. Done.
0
Simone Schilirò Replied
5/29/2019 at 9:04 AM
Solved!
1
Nathan Replied
5/30/2019 at 11:44 AM
To resolve quickly in future create a .ign2 file, for example exceptions.ign2 in the clamdb folder and put 'Win.Exploit.CVE_2019_0903-6966169-0' or whichever definition is generating the false positive on a line. Reload clam and it should then ignore the definition.
0
Kyle Kerst Replied
5/30/2019 at 3:07 PM
Employee Post
Thanks Nathan! I'm going to make a note of this here in support as well, perhaps we can get that added as a KB article. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
CTL Replied
6/14/2019 at 5:48 PM
Again the false positive issue re appear on build 7093 ,  Support team  pleas have a look and let me know the solution.

Thanks
0
Martin Margheim Replied
6/7/2023 at 4:58 PM
Surprise, surprise! My server is a very low volume server with only a few email domains. Today, after reading this thread, I investigated and was surprised to find what I believe was the email my clients have been reporting not receiving and the answer to email with attachments identifying as viruses.

All quarantined email has been released. Glad someone had the answer.

Thanks
Martin
0
Martin Margheim Replied
6/7/2023 at 5:37 PM
If you read my previous, I received another surprise. Turning off Clam AV did not resolve my problem. Turning off Windows Defender solved the attachment send on my Smartermail server. 

Clam AV is turned on and attachments come through without quarantine whereas with Windows Defender on, email is quarantined.

Martin
0
Sabatino Replied
6/8/2023 at 3:17 AM
I suggest you disable windows defender

Unfortunately, sometimes there are false positives. I discussed this problem with SM via ticket and also here and they confirmed it to me. Unfortunately, windows defender sometimes generates false positives. The proposed solution was to repeat the scan again in the event of a positive result from Windows Defender. But to date it doesn't seem to me that we have implemented it. So I would say that using defender makes the system unreliable, and therefore until SM finds a solution it shouldn't be used.

I took the trouble to check all the messages that windows defender reports as viruses and to check them manually and I assure you that false positives are not such a rare event, especially with attachments larger than 1Mb


Here is an excerpt from my ticket

Hey Sabatino,I talked to the developers and they said that the way that defender works is when it scans it can sometimes say hey this might be a virus and marks it as a virus then later on once Microsoft does more scans on it and does its internal stuff then it goes this isn't a virus.  So this issue is with just the way that defender works. I'm going to make this ticket into a feature request to add the ability for defender to rescan emails then if it comes back as not a virus it will send it through. Kind Regards
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Martin Margheim Replied
6/8/2023 at 7:15 PM
I have no problem with Windows Defender being disabled. For my MSP clients, Bit Defender is used locally. I am reporting that 24 hours after discoveries, disabling Windows Defender in Smartermail and leaving Clam AV with June 7 definition updates, there have been no further virus reports for email with attachments. Clients are reporting email is now being received with attachments and the quarantine remains empty.

FYI

Martin
0
Manuel Martins Replied
6/9/2023 at 5:00 AM
This is very strange! We have 2 SM Servers, both servers using SM 8552. The Primary Server and an Inbound Gateway, the situation of Windows Defender identifiing attachments as Virus false positives only happens on the SM Primary Server, on the Inbound Gateway Server Windows Defender is also active and the situation is not happening, only detects some attachments but after a closer look they are really virus.
The Windows Defender version is the same on both servers also.

Manuel Martins
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
TLS 1.0/1.1 Deprecation InformationGeneral Topics
Microsoft Defender Antivirus and Virus Scanner ExceptionsSmarterMail > Troubleshooting
Messages from Trusted Senders are going to my Junk folderSmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management