ClamAV placing messages in Virus Quarantine
Question asked by kevind - 7/7/2023 at 12:48 PM
Every day I see new messages in the Virus Quarantine that look legit. Some recent ones have this message from Microsoft in the body:

<email address> has sent you a protected message.
Read the message
Learn about messages protected by Microsoft Purview Message Encryption.
Message got sent there by ClamAV.  Looks like a false positive, but not 100% sure.  Anyone else seeing this?

6 Replies

Reply to Thread
Leon Baldwin Replied
was there anything in scan?
kevind Replied
Not sure. Where do I check?
kevind Replied
Also, seeing quite a few credit card emails getting quarantined, likes ones from: American Express, Citi, CapitalOne, etc.

The messages look legit with valid From: & To: addresses plus a body that doesn't look like phishing. How do I tell why these were quarantined?

What is everyone else doing?  Turn off ClamAV?  Adjust settings? TIA.
echoDreamz Replied
Marked As Answer
ClamAV is garbage and really should just be retired... Also the "PhishingScanURLs" setting in the clamd.conf is what causes those FP flags on AMEX, Citi etc.

We had nothing but trouble with it, plus it uses an insane amount of resources for the very poor job it does. However, it does do a decent job finding PHP malware and other web-based backdoors and what not.
kevind Replied
@echo – good call, thanks for reply!

Found this KB article and will try disabling phishing scans:

If it doesn't catch anything else, we'll just disable it.
J. LaDow Replied
There is a scam going around using a compromised or vulnerable citi.com (info*.citi.com) server that ClamAV is picking up with bogus credit card emails.

There is also an exclusion setting that will stop it from catching the Microsoft "encrypted" messaging emails.

If you create (or edit) C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav\whitelist.ign2 and add

on it's own line and restart the ClamAV process it will reload with the ignored entry and stop flagging those messages from Microsoft.

We also told ClamAV to stop scanning messages without attachments -- this stopped the "false positivies" from the legit credit card emails while still blocking those compromised emails coming through an info*.citi.com server.  

We also added an EHLO block to pick up that compromised server and block it at the connection level.

MailEnable survivor / convert --

Reply to Thread