Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: pizzaco on August 10, 2016, 10:37:57 PM

Title: Whats does disable quarantine do for the weekly/nightly AV scan?
Post by: pizzaco on August 10, 2016, 10:37:57 PM

Last night's nightly scan quarantined 900+ messages on our server. Evidently, the Win.Exploit.CVE_2016_3316-1 signature is/was creating a lot of false-positives. I haven't seen any indication on the Internet that the signature has been changed today.

As such, I'm a little scared to let it scan again tonight, but I'd like to run the scan and have it just log any hits it finds.

Under Configuration -> Antivirus (ClamAV), there is an Enabled/Disable setting for "Quarantine infected files". Does "Disabled" mean that it will delete files, or does it mean it will just log?

Title: Re: Whats does disable quarantine do for the weekly/nightly AV scan?
Post by: janet on August 11, 2016, 01:47:26 AM

pizzaco

Quote

Under Configuration -> Antivirus (ClamAV), there is an Enabled/Disable setting for "Quarantine infected files". Does "Disabled" mean that it will delete files, or does it mean it will just log?

Quarantine enabled will move the infected files, which can cause other issues with false positives ie having to move files back one by one etc.
Disabling the quarantine function will not move (or delete) the files, but will still report that (supposedly) infected files were found.
You can manually review, rescan, move or delete them.

My personal preference is to have quarantine disabled, as it is too much bother when false positives occur.
Always of course have secondary anti virus measures on workstations.

Title: Re: Whats does disable quarantine do for the weekly/nightly AV scan?
Post by: pizzaco on August 11, 2016, 11:07:48 PM

Good idea. It was quite a hassle restoring everything yesterday.