3
Windows defender problem
Problem reported by Sabatino - 8/4/2021 at 7:05 AM
Resolved
Hello everybody.
Unfortunately a very nasty thing is happening to me by activating the control with windows defender

By pure chance when it was introduced in sm windows defender I discovered a false positive.
This led me to investigate. I reactivated it with the latest version and found, by checking the .eml files in quarantine one by one, that:

1) windows defender identifies far more viruses than cyren and clamav. Many emls controlled through www.virustotal.com have this result.

https://www.virustotal.com/gui/file/2888003d91b22ad1fe6c13637027c1a5022167f8480884ce19778ae950ee1150/detection

As you can see, it is not identified by cyren or clamav

So it's absolutely worth using windows defender

2) Unfortunately sometimes sm identifies a message as a virus through windows defender, but subsequently checking the .eml both with the window defender of the same server and using www.virustotal.com it does not contain viruses.

I opened various tickets, trying to reactivate windows defender in the various versions of sm, but they have not found solutions, thinking that the problem is related only to my installation.

I, on the other hand, believe that I am the only one who is doing a second check.

I reactivated windows defender 3 days ago with the latest version of sm, and of 52 viruses identified 1 false positive.
it is however too much, if it were a false positive of windows defender I would make a reason for it, but it is the combination of sm and windows defender that creates the false positive, so it must be understood why.

I invite you to do some random checks.

I repeat, at least 50% of the .eml files manually checked through www.virustotal.com have confirmed to me that windows defender identifies real viruses that would instead be not identified by clamav and cryen
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

4 Replies

Reply to Thread
0
Sabatino Replied
For the sake of completeness, here is the log of a message identified as a virus but which, following a subsequent check, was found to be clean

2021.08.04] 11: 55: 39.490 [47975452] Delivery started for xxxx@xxxxxxxxx.it at 11:55:39
[2021.08.04] 11: 55: 42.553 [47975452] Added to SpamCheckQueue (1 queued; 3/30 processing)
[2021.08.04] 11: 55: 42.553 [47975452] [SpamCheckQueue] Begin Processing.
[2021.08.04] 11: 55: 42.553 [47975452] Blocked Sender Checks started.
[2021.08.04] 11: 55: 42.553 [47975452] Blocked Sender Checks completed.
[2021.08.04] 11: 55: 43.084 [47975452] This message has been quarantined because a virus was found by Windows Defender. Virus: (Unknown).
[2021.08.04] 11: 55: 43.084 [47975452] Removed from SpamCheckQueue (4 queued or processing)
[2021.08.04] 11: 55: 45.600 [47975452] .eml file not found. Removing .hdr file.
[2021.08.04] 11: 55: 45.600 [47975452] Delivery finished for xxxx@xxxxxxxxx.it at 11:55:45 [id: 447975452]
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
1
Gabriele Maoret - SERSIS Replied
We have no issues with false positives on Windows Defender (our server processes about 30.000 mail per day).
We are using latest SM release on Windows Server 2016

I will monitor from now on to check it better
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Matt Petty Replied
Employee Post
We're currently debugging this issue/ticket atm, we are having issues trying to find correlations and not able to reproduce both on our live and test environments. I'm trying to figure out how to debug this further as Defender is like a blackbox, I get very little info back from it. We'll post more as it develops.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Sabatino Replied
Thanks for your attention.

I got the eml in quarantine and tried resending it again

from 2 external smtp servers to an email from my server

from an account inside my server to another account inside my server

In none of the cases was the message identified as a virus. It seems a rather causal thing.

The fact is that I am making the commitment to go and check all the quarantined files individually to verify the operation, otherwise I would never have noticed.

I am left with the doubt of a random error on all installations and / or the problem is only on my windows server 2019 with SmarterMail Enterprise 100.0.7879.30160

Italian localization

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Reply to Thread