was there anything in scan?

Not sure. Where do I check?

Also, seeing quite a few credit card emails getting quarantined, likes ones from: American Express, Citi, CapitalOne, etc.

The messages look legit with valid From: & To: addresses plus a body that doesn't look like phishing. How do I tell why these were quarantined?

What is everyone else doing?  Turn off ClamAV?  Adjust settings? TIA.

@echo – good call, thanks for reply!

Found this KB article and will try disabling phishing scans:

If it doesn't catch anything else, we'll just disable it.

There is a scam going around using a compromised or vulnerable citi.com (info*.citi.com) server that ClamAV is picking up with bogus credit card emails.

There is also an exclusion setting that will stop it from catching the Microsoft "encrypted" messaging emails.

If you create (or edit) C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav\whitelist.ign2 and add

Email.Phishing.RPMSG_Downloader-10004958-0

on it's own line and restart the ClamAV process it will reload with the ignored entry and stop flagging those messages from Microsoft.

We also told ClamAV to stop scanning messages without attachments -- this stopped the "false positivies" from the legit credit card emails while still blocking those compromised emails coming through an info*.citi.com server.  

We also added an EHLO block to pick up that compromised server and block it at the connection level.