4
ClamAV placing messages in Virus Quarantine
Question asked by kevind - 7/7/2023 at 12:48 PM
Answered
Every day I see new messages in the Virus Quarantine that look legit. Some recent ones have this message from Microsoft in the body:

<email address> has sent you a protected message.
[lock]
Read the message
Learn about messages protected by Microsoft Purview Message Encryption.
Message got sent there by ClamAV.  Looks like a false positive, but not 100% sure.  Anyone else seeing this?

8 Replies

Reply to Thread
1
Leon Baldwin Replied
was there anything in scan?
2
kevind Replied
Not sure. Where do I check?
3
kevind Replied
Also, seeing quite a few credit card emails getting quarantined, likes ones from: American Express, Citi, CapitalOne, etc.

The messages look legit with valid From: & To: addresses plus a body that doesn't look like phishing. How do I tell why these were quarantined?

What is everyone else doing?  Turn off ClamAV?  Adjust settings? TIA.
3
echoDreamz Replied
Marked As Answer
ClamAV is garbage and really should just be retired... Also the "PhishingScanURLs" setting in the clamd.conf is what causes those FP flags on AMEX, Citi etc.

We had nothing but trouble with it, plus it uses an insane amount of resources for the very poor job it does. However, it does do a decent job finding PHP malware and other web-based backdoors and what not.
2
kevind Replied
@echo – good call, thanks for reply!

Found this KB article and will try disabling phishing scans:

If it doesn't catch anything else, we'll just disable it.
0
J. LaDow Replied
There is a scam going around using a compromised or vulnerable citi.com (info*.citi.com) server that ClamAV is picking up with bogus credit card emails.

There is also an exclusion setting that will stop it from catching the Microsoft "encrypted" messaging emails.

If you create (or edit) C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav\whitelist.ign2 and add

Email.Phishing.RPMSG_Downloader-10004958-0
on it's own line and restart the ClamAV process it will reload with the ignored entry and stop flagging those messages from Microsoft.

We also told ClamAV to stop scanning messages without attachments -- this stopped the "false positivies" from the legit credit card emails while still blocking those compromised emails coming through an info*.citi.com server.  

We also added an EHLO block to pick up that compromised server and block it at the connection level.






MailEnable survivor / convert --
1
Christopher Hiatt Replied
Don't know how I missed this thread. This issue is still there in build 9091. Had been having this issue with Amex and Citi emails getting stuck in quarantine for a long while. Just tried this fix and will see how it goes.
0
Kyle Kerst Replied
Employee Post
Hi Christopher, this is unfortunately less a bug (in which case we could resolve it here) and more a default behavior of ClamAV which is an open source antivirus we package with SmarterMail. Whitelisting the offending signature should help, but you'll want to keep an eye out for false negatives to be on the safe side since ClamAV won't be seeing those anymore. Cyren Premium Antispam and Message Sniffer are excellent solutions for those types of spoofing emails so that might be something to consider if you do see an uptick in nefarious emails. 
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com

Reply to Thread

Enter the verification text