Back to Community Threads
8
Smartermail Virus Scanning
Problem reported by J Lee - 6/9/2023 at 11:19 AM
Not A Problem
Hi All

I have noticed many false positives by Defender, CLAM, and Cyren. Is anyone else seeing this issue?

You might want to check your Virus Quarantine.

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273

17 Replies

Reply to Thread
1
Sabatino Replied
6/10/2023 at 2:55 AM
As I have said many times here on the community

I suggest you disable windows defender

Unfortunately, sometimes there are false positives. I discussed this problem with SM via ticket and also here and they confirmed it to me. Unfortunately, windows defender sometimes generates false positives. The proposed solution was to repeat the scan again in the event of a positive result from Windows Defender. But to date it doesn't seem to me that we have implemented it. So I would say that using defender makes the system unreliable, and therefore until SM finds a solution it shouldn't be used.

I took the trouble to check all the messages that windows defender reports as viruses and to check them manually and I assure you that false positives are not such a rare event, especially with attachments larger than 1Mb


Here is an excerpt from my ticket

Hey Sabatino,I talked to the developers and they said that the way that defender works is when it scans it can sometimes say hey this might be a virus and marks it as a virus then later on once Microsoft does more scans on it and does its internal stuff then it goes this isn't a virus.  So this issue is with just the way that defender works. I'm going to make this ticket into a feature request to add the ability for defender to rescan emails then if it comes back as not a virus it will send it through. Kind Regards

However, I have not found any problems with clamav and cyren. But I haven't had Cyren for 1 month now because the license has expired
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
1
J Lee Replied
6/12/2023 at 10:59 AM

Thanks for the reply; our virus scanning did appear to work with no issue for a long time. 

Just recently, I noticed these false positives and started looking closer. 

All the scanners have false positives. Most of the false positives I see are email notices, so not a huge problem, but some are from IRS, GOV, and Amex.

 
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
0
J Lee Replied
6/12/2023 at 1:31 PM
After looking a little deeper, a percentage of these false positives are 

Virus: (Heuristics.Phishing.Email.SpoofedDomain)

Example A record
welcome.xxxxxxxxxxx.com = 0.0.0.0

IP does not match MX or SPF, and the email goes to Quarantine. 

You could turn off Scan Messages Without Attachments, but it is unclear if this would allow Virus/Ransomware links through your scanners. 

Question for Smartermail Admin, can a whitelist be added to Defender, ClamAV, and/or Cyren?
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
2
Jay Dubb Replied
7/6/2023 at 5:56 AM
We're getting a LOT of false positives from ClamAV, nearly all of them false positives from the Sane Security phish protection.  Some of our customers use a 3rd party external spam filtering vendor who quarantines suspected spam and sends quarantine reports to the users.  The quarantine reports themselves are being caught and trapped by Clam/Sane on Smartermail, even though the reports themselves are 100% harmless.

We have the 3rd party filtering service's IP addresses fully whitelisted, yet even whitelisted senders cannot bypass the ClamAV scanning.  We opened a ticket about this a while back, but were told there's no way to bypass AV scanning on whitelisted IPs.

So at this point, we're in a jam.  We're having to constantly watch the Virus quarantine on SM and manually release the quarantine reports.  It's not pleasant.
 
0
Tim Uzzanti Replied
7/6/2023 at 9:53 AM
Employee Post
Jay,

I see a ticket you started with Zach and he was trying to give you some config info but you said he could close the ticket.  Not much info in your ticket at the time.  Maybe open a new ticket and our support team can give you some ideas on how to reduce false positives with ClamAV.  
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
0
J Lee Replied
7/6/2023 at 10:36 AM
I have noticed that all the virus scanners have been producing false positives recently. 

The 90% of these false positives are because the sender is not creating the correct SPF, DKIM, or DMarc for sending from a subdomain address, like @welcome.americanexpress.com, @new.irs.gov, or @notice.citibank.com. 

I think what is happening is the virus scanner sees that the subdomain is not in alignment with SPF and Dmarc, and it puts the email in Quarantine. This is usually a spam-checking process. Not sure why the virus scanners are doing this. 
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
2
Michael Replied
7/6/2023 at 3:00 PM
We see same issue... when Clam AV is on we get a handful of Virus: (Heuristics.Phishing.Email.SpoofedDomain)

Seeing similar, the messages are from:


Those are big companies, I wonder what Smarter Mail can do to work around how they send messages?
1
J Lee Replied
7/6/2023 at 3:09 PM
Upvoting and thumbs up will get this issue placed on higher priority. :)
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
2
Tim Uzzanti Replied
7/6/2023 at 4:39 PM
Employee Post
We're going to give you guys some ideas to better work with ClamAV.  But realize, we are trying to integrate FREE solutions for Antivirus and there will be gotcha's.  When you pay for solutions like Cyren Antivirus, you will get better results.  Anyway, I think you will appreciate what Zach will post here shortly.
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
5
Zach Sylvester Replied
7/6/2023 at 4:58 PM
Employee Post
Hello Everyone, 

Clam AV being a free AV and full-featured AV it's hard for us to understand every aspect of it being that it's not our product. But I do have a solution for you here. 

Firstly let's start with turning off scanning for Phishing. This is helpful if you get lots of Heuristics.Phishing.Email.SpoofedDomain False positives. 

To do this you need to do the following. 

  1. Go to C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\etc 
    Edit the Clamd.conf
  2. Append PhishingScanURLs no to the bottom of the file. 
  3. Once that is done save and restart the SmarterMail service.
 
Next, if you're getting different false positives like Email.Phishing.RPMSG_Downloader-10004958-0 you can whitelist the signature via the following steps. 

Stop the SmarterMail service.

Goto

C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav
After this create a file called
whitelist.ign2
After this edit that file and enter in the signature of the false positive.
Email.Phishing.RPMSG_Downloader-10004958-0
Start the service. 

You should be able to do one signature per line if you have other examples. 


If you're unsure what the signature of the false positive is you will be able to find this in the delivery logs. 

I hope this helps. If you have any questions or concerns feel free to let me know. We are going to have a KB on this in the future with this information as well. 

Thanks, 
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
0
Michael Replied
7/12/2023 at 11:36 AM
Zach, turning off scanning for Phishing was very helpful. We followed your instructions for Heuristics.Phishing.Email.SpoofedDomain False positives.

But... still...
Messages from FedEx getting caught by Clam.

We see:
MailFrom: no-reply-esign2@fedex.com, SenderIP: 205.220.167.9

Then... This message has been quarantined because a virus was found by ClamAV. Virus: (Email.Phishing.RPMSG_Downloader-10004958-0)

Seems we need to whitelist the signature.

I'm reading above:
"If you're unsure what the signature of the false positive is you will be able to find this in the delivery logs"

Where in the delivery log would we find the signature?
It's not clear.
1
Michael Replied
7/12/2023 at 12:41 PM
Or lol. Maybe the signature is actually "10004958-0"

So if that's that case...

create a file called
whitelist.ign2
After this edit that file and enter in the signature of the false positive.
Email.Phishing.RPMSG_Downloader-10004958-0

Just as you noted above?
3
Zach Sylvester Replied
7/12/2023 at 1:41 PM
Employee Post
Hey Michael, 

Thank you for the question! The signature in this case would be.
Email.Phishing.RPMSG_Downloader-10004958-0
Just paste the entire line into the whitelist.ign2 file and when clamav is restarted this file should be excluded. 

Thanks,  
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
0
J Lee Replied
7/28/2023 at 12:54 PM
Hi Zack 

Thanks for this solution. 

I found these options, and none of them are listed in my clamd.conf file. 

Since they are not listed, can I assume the default of "Yes" is applied and the scan is operational?

Or do I need to add  

PhishingSignatures yes
PhishingScanURLs no
PhishingAlwaysBlockCloak yes
PhishingAlwaysBlockSSLMismatch yes


PhishingSignatures BOOL
With this option enabled ClamAV will try to detect phishing attempts by using signatures.
Default: yes
PhishingScanURLs BOOL
Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*
Default: yes
PhishingAlwaysBlockCloak BOOL
Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.
Default: no
PhishingAlwaysBlockSSLMismatch BOOL
Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.
Default: no

I also found these scan options that look to be very helpful but are not listed in clamd.conf, especially the pdf scan option. 


ScanPDF BOOL
This option enables scanning within PDF files.
If you turn off this option, the original files will still be scanned, but without additional processing.
Default: yes
ScanSWF BOOL
This option enables scanning within SWF files.
If you turn off this option, the original files will still be scanned, but without decoding and additional processing.
Default: yes
ScanXMLDOCS BOOL
This option enables scanning xml-based document files supported by libclamav.
If you turn off this option, the original files will still be scanned, but without additional processing.
Default: yes
ScanHWP3 BOOL
This option enables scanning HWP3 files.
If you turn off this option, the original files will still be scanned, but without additional processing.
Default: yes
ScanArchive BOOL
Scan within archives and compressed files.
If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.
Default: yes
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
0
J Lee Replied
7/28/2023 at 1:01 PM
Never mind, I found my answer.

When some option is not used (commented out or not included in the configuration file at all) clamd takes a default action.
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
0
Larry Townsend Replied
8/3/2023 at 7:21 AM
What should the default Clamd.config look like?
0
Sabatino Replied
9/22/2023 at 7:23 AM
I am sorry. But even with the installation of 8664 and reactivating window defender, false positives occur. I opened numerous tickets and numerous threads on the topic and in the end the developers had confirmed that there was a problem that caused defender to generate false positives in some circumstances and that it would be appropriate to implement a double scan in the event of a positive result from defender. At present window defender cannot be used. Manual control of the quarantine is not practicable
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Back to Community Threads

Reply to Thread

Enter the verification text

Related Knowledge Base Articles

Microsoft Defender Antivirus and Virus Scanner ExceptionsSmarterMail > Troubleshooting
Reducing ClamAV False PositivesSmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Spam and Security Checks for IPv6 SystemsSmarterMail > Antispam and Antivirus
Configure SmarterMail as a Free Gateway ServerSmarterMail > Server Configuration and Management