We just got our kaspersky licensing here, and we're in the process of deployment. Surfcontrol, which receives in our email before it hits the exchange box and filters it, needs some special setup for it's virus scanning side. Basically, it makes a call to the AV engine, which scans the file/message it's receiving inbound, and if the file has a virus then surfcontrol expects a certain Return Code from the AV engine which informs it of the presence of a virus - and if that's the case then it dumps that email message into a viral storage folder and keeps it from ever even hitting the exchange box.
We've got it set so it calls kavshell.exe SCAN %D, where %D is the file it's wanting to get scanned. And then in the return code portion it's expecting to get a value >= 1 back, indicating that a virus has been found. This is where things have gotten interesting - It's knocking down all the viral email we've sent to ourselves from the outside, including the eicar test virus and also some real ones. BUT, it's also returning a *lot* of false positives. There's still a lot of valid, outside mail that IS getting through just fine though without getting shot down. So far I haven't been able to find any pattern whatsoever as far as why it would be shot down or wouldn't be show down, but it's consistantly found every virus, test or not, that we've sent through out of about 40. However, out of another 200 emails that we didn't send outselves that it's knocked into the 'viral' holding folder, only about 8 of those actually show a virus when we do a scan on the folder. No idea why the other 192 are showing up in there.
Could well be a surfcontrol issue, however the kaspersky issue is that I need to know if anyone knows what return code kaspersky issues out that I can plug into surfcontrol in order to not get false positives like we are, indicating that ">=1" is not the correct solution, although it is correctly identifying viral files/emails. In that it's for sure *not* a surfcontrol issue, because it depends on the AV vendor. Any ideas?