5
Notification if mail was caught by Defender or other Antivirus software
Idea shared by Martin Schaible - 5/31/2023 at 3:21 AM
Completed
Hello

We had a bad situation recently: Windows Defender quarantined an email with Virus type [unknown]. In matter of fact, the mail and the attachment was clean.

The customer missed an important mail.

I didn't see a possibility to switch on a notification, if a incoming mail was quarantined. A notification should be possible on per user base. 

Cheers!

8 Replies

Reply to Thread
0
I suggest you disable windows defender

Unfortunately, sometimes there are false positives. I discussed this problem with SM via ticket and also here and they confirmed it to me. Unfortunately, windows defender sometimes generates false positives. The proposed solution was to repeat the scan again in the event of a positive result from Windows Defender. But to date it doesn't seem to me that we have implemented it. So I would say that using defender makes the system unreliable, and therefore until SM finds a solution it shouldn't be used.

I took the trouble to check all the messages that windows defender reports as viruses and to check them manually and I assure you that false positives are not such a rare event, especially with attachments larger than 1Mb


use clamav by updating definitions on sercureinfo


To date I have not had a false positive.

but I only update the following db, and not all those proposed by sercureinfo. in fact, some db also intercept spam and then it all becomes a confusion

securiteinfo.hdb
securiteinfo.ign2
securiteinfoascii.hdb
securiteinfopdf.hdb
securiteinfo0hour.hdb
securiteinfo.mdb
securiteinfo.pdb

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
2
We also see a lot of messages in the Virus Quarantine that look legit. Specifically, messages from:
  • credit cards (Citi, AmericanExpress)
  • hotels (Hilton, Marriott).
Are others experiencing this? Why are they getting caught? Don't want to have to review this daily and resend messages. Thanks!
2
Don't use windows defender

Here is an excerpt from my ticket

Hey Sabatino,I talked to the developers and they said that the way that defender works is when it scans it can sometimes say hey this might be a virus and marks it as a virus then later on once Microsoft does more scans on it and does its internal stuff then it goes this isn't a virus.  So this issue is with just the way that defender works. I'm going to make this ticket into a feature request to add the ability for defender to rescan emails then if it comes back as not a virus it will send it through. Kind Regards

until this feature is implemented there is no need to use windows defender
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
2
Sabatino, OK thanks for the clarification!

Question for SmarterTools -- if I select the messages pick Resend, does it scan thru Windows Defender again and allow it to pass?  Or does it just send without scanning, possibly releasing a message with a virus?

Thanks.
1
Employee Replied
Employee Post
Hello, 

I wanted to let you know that you can set up a system event to notify you when a virus has been found in the spool.
0
I am sorry. But even with the installation of 8664 and reactivating window defender, false positives occur. I opened numerous tickets and numerous threads on the topic and in the end the developers had confirmed that there was a problem that caused defender to generate false positives in some circumstances and that it would be appropriate to implement a double scan in the event of a positive result from defender. At present window defender cannot be used. Manual control of the quarantine is not practicable
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Hi Sabatino,
How do you do this?
"use clamav by updating definitions on sercureinfo"
I already have ClamAV enabled in SmarterMail.

Thanks
Luis Martins
0
The best practice is to notify recipient user ou recipient domain admin and let them manage their own quarantined items.
But i think that only system admin can manage quarantine. This is not good!
If I'm wrong, please correct me.
Thanks
Luis Martins

Reply to Thread