Topic: Whats does disable quarantine do for the weekly/nightly AV scan?

[pizzaco]

Last night's nightly scan quarantined 900+ messages on our server. Evidently, the Win.Exploit.CVE_2016_3316-1 signature is/was creating a lot of false-positives. I haven't seen any indication on the Internet that the signature has been changed today.

As such, I'm a little scared to let it scan again tonight, but I'd like to run the scan and have it just log any hits it finds.

Under Configuration -> Antivirus (ClamAV), there is an Enabled/Disable setting for "Quarantine infected files". Does "Disabled" mean that it will delete files, or does it mean it will just log?

[janet]

pizzaco

Under Configuration -> Antivirus (ClamAV), there is an Enabled/Disable setting for "Quarantine infected files". Does "Disabled" mean that it will delete files, or does it mean it will just log?

Quarantine enabled will move the infected files, which can cause other issues with false positives ie having to move files back one by one etc.
Disabling the quarantine function will not move (or delete) the files, but will still report that (supposedly) infected files were found.
You can manually review, rescan, move or delete them.

My personal preference is to have quarantine disabled, as it is too much bother when false positives occur.
Always of course have secondary anti virus measures on workstations.

[pizzaco]

Good idea. It was quite a hassle restoring everything yesterday.