There is a scam going around using a compromised or vulnerable citi.com
(info*.citi.com) server that ClamAV is picking up with bogus credit card emails.
There is also an exclusion setting that will stop it from catching the Microsoft "encrypted" messaging emails.
If you create (or edit) C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav\whitelist.ign2 and add
on it's own line and restart the ClamAV process it will reload with the ignored entry and stop flagging those messages from Microsoft.
We also told ClamAV to stop scanning messages without attachments -- this stopped the "false positivies" from the legit credit card emails while still blocking those compromised emails coming through an info*.citi.com server.
We also added an EHLO block to pick up that compromised server and block it at the connection level.
MailEnable survivor / convert --