I have been getting viruses notices too from email received on weekly scans also.
This has been happening for a while now. As far as i can remember, before SME 8 on my systems.
We have a low volume of emails by most people and this has not been a problem but on 1 system.
I have now turned on the virus scans to do it once a day to monitor the activity and learn.
We do not have viruses quarantined or deleted on the normal full scan you can set in the server managerl panel.
I have seen files that do not contain viruses flagged as viruses(false positives) on the SME server.
Some program that i even wrote showed up as a viruses, because of the way they where accessing the hard drive.
Most where MSDOS 16-bit programs that I wrote and had some low level assembly for fast execution.
But i am now seeing more and more received emails flagged as being viruses with the dedicated virus scans and getting through the email server software.
So in an effort to do something. I am now watching closely the emails.
I have the server setup to store(save) all email coming and going to server into the maillog account.
In the server manager panel, i have all received email that has been tagged as spam to have the word "[SPAM]" placed in the subject line with the default settings inside the server manger panel.
Most viruses, but not all, I have seen have the [SPAM] in the subject line.
I do have a program written in windows that will attach to the server using POP3 and delete all email in an account with the word [SPAM] in the subject line.
Deleted emails are logged into files for viewing. Because all emails are also sent to the maillog email account, that is my backup in the case I delete a email message that was not actually spam.
But that does not remove the fact that there are emails that seem to get through and could possible be read on a system that can get infected.
We do things different here, we have computers just to for reading email and browsing the internet and those are not on our local LAN with workstations.
But we use other software, that is close to virus proof, to view the text and headers of received emails on the workstations. Any email can be safely deleted there and then, without any harm from some other email reader software that can be dangerous with an infected email.
here is the header of an email that was NOT marked as a virus when it was received but a dedicated scan detected it.
email addresses and server names have been edit for security measures
The email was received to the email account servicedesk@myserver.com
We have all emails received to servicedesk@myserver.com forwarded to johndoe@myserver.com(sorry for this extra confusion but i wanted to give and actual email header)
Return-Path: <silk2013@rfast.com>
Delivered-To: johndoe@server2.myserver.com
Received: (qmail 4603 invoked by alias); 20 Feb 2013 14:36:00 -0000
Delivered-To: alias-localdelivery-johndoe@myserver.com
Received: (qmail 4600 invoked by uid 5014); 20 Feb 2013 14:36:00 -0000
Delivered-To: servicedesk@server2.myserver.com
Received: (qmail 4594 invoked by alias); 20 Feb 2013 14:36:00 -0000
Delivered-To: alias-localdelivery-servicedesk@myserver.com
Received: (qmail 4589 invoked by uid 453); 20 Feb 2013 14:35:59 -0000
X-Spam-Level: *
X-Spam-Status: No, hits=0.0 required=5.0
tests=FSL_HELO_NON_FQDN_1,HTML_MESSAGE
X-Spam-Check-By: myserver.com
Received: from Unknown (HELO [125.143.21.236]) (125.143.21.236)
by myserver.com (qpsmtpd/0.84) with ESMTP; Wed, 20 Feb 2013 08:35:53 -0600
Received: from (192.168.1.186) by rfast.com (125.143.21.236) with Microsoft SMTP Server id 8.0.685.24; Wed, 20 Feb 2013 23:35:50 +0900
Message-ID: <5124DAA4.408090@rfast.com>
Date: Wed, 20 Feb 2013 23:35:50 +0900
From: "cashproonline_notification@gcibemail.bankofamerica.com" <cashproonline_notification@gcibemail.bankofamerica.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20100921 Thunderbird/3.1.4
MIME-Version: 1.0
To: <servicedesk@myserver.com>
Subject: Your CashPro Online Digital Certificate
Content-Type: multipart/alternative;
boundary="------------07020700104050901050607"
X-Virus-Checked: Checked by ClamAV on myserver.com
I have no idea whether this particular received email had an actual viruses or not. I do no plan on testing it to completeness.
But it does show up with daily or weekly clam scan.
Also, with the below
clamscan --infected -r /home/e-smith/files/users/
results from above command:
/home/e-smith/files/users/johndoe/Maildir/cur/1361370960.4605.server2:2,: Win.Trojan.Agent-200678 FOUND