Back to Community Threads
MailService.dll being flagged as a virus
Problem reported by David Feuer - 1/10/2026 at 5:49 AM
Resolved
D
Installed the latest version 9504 and MailService.dll is being flagged as a virus
Keep getting the I can't post links error when creating this post so I had to put a bunch spaces in the link

https : // www. virustotal. com/ gui/file /7400a391ce661617e6b7b7f6d3e76aac41d79776038490b52e07ad546ced1f05

Others are seeing the same. See the cve posts towards the bottom of that discussion
D
David Feuer Replied
1/10/2026 at 9:52 AM
Anybody want to spend the $349 for an emergency ticket to see if we get any response? 
Opened a regular one and have not heard anything back, but I do not even know if they check anything on the weekend,
Richard Laliberte Replied
1/10/2026 at 1:33 PM
D
David Feuer Replied
1/10/2026 at 2:37 PM
Possibly. But the issue IMO is that they release things Thursday evening (Arizona time).  
Most people are going to do the installs Friday night into Saturday because of that. So when things like this do happen there is nobody at ST even looking at / responding to tickets or reading this community over the weekend. 

Considering the fact that there was the upload vulnerability that they had that this fixed it would be nice for someone at ST to be monitoring the tickets / community to at least pop in with either "yeah it's a false positive" or "oops wipe the servers and start again" since a lot of us are probably very twitchy because of the file upload issue.
AND
This one is actually a bit worse then the installer since when the .dll gets detected and removed it stops the mail from working.

I like ST products, I like their support. Heck, I even opened a support ticket Christmas eve to wish them all Happy Holidays. So it's not like I am a disgruntled screaming customer. 

But, not having people monitoring things when releases happen is kind of meh. 

I know it's a slippery slope since once you have people monitoring things around release weekends it's easy to see people wanting staff around all weekends. That just becomes a setting expectations issue. Up to and including if it's not about the release that just happened it waits till Monday. 
Jade B Replied
1/11/2026 at 3:27 AM
Hopefully ST (Derek) see's this and can put us at ease.

@David Feuer agree with everything you have said and given that this has happened in the past ST should be more proactive about these types of things given that they know about them.

All it takes is tasking a person within the team to set aside a day a month to run through various scans to check to see if any of the installers or files are being detected.

Considering the consequences of files being removed by a false positive and the disruption that it may cause an organization this should be a priority for ST.

In addition, it would provide them with an early alert to something more malicious like supply chain attack.

Security needs to become a priority at ST in 2026 given how this year has started.
J
Joe Payne Replied
1/11/2026 at 9:20 AM
Updated this morning due to the security bulletin and got a similar AV notification.  My AV called it an 'active threat' and claimed to quarantine it.  Yet my SM install still sends/receives email without issue.  Which now makes me question the effectiveness of my AV....
Derek Curtis Replied
1/11/2026 at 10:15 AM
Employee Post
Yeah, this is a false positive. AV systems can, in my experience, default to the "most secure" scanning and reporting options. In and of itself, it's both understandable and effective. But, in all cases, whenever our installers or DLLs have been flagged, it's due to something that's not really an issue. 

I'll make sure the devs are aware, and we'll dig into it a bit more, and contact whoever we need to contact to get this cleared up. Going to mark this as "Not a problem" as it's not a problem, per se, but an annoyance we'll need to get resolved. 
Derek Curtis CCO SmarterTools Inc. www.smartertools.com
Derek Curtis Replied
1/11/2026 at 10:18 AM
Employee Post
As an aside, we DO know that SentinelOne flags things, which is definitely a false positive, and we're working with them on it. But what on-server AV are you guys using that's flagging the DLL?
Derek Curtis CCO SmarterTools Inc. www.smartertools.com
Jade B Replied
1/11/2026 at 11:11 AM
Hi Derek

Not at a pc now so can’t check but you can upload that DLL to virus total
D
David Feuer Replied
1/11/2026 at 12:51 PM
@Derek Curtis
Both Microsoft and Bitdefender on one server

Emsisoft on another and Vipre on another

Since I am doing mail server management for a lot of people I get to deal with whatever their MSP / IT people want to run on their servers (lucky me)

But as was said in the above post you can upload it to VirusTotal and it still shows ~ 10 different products including the ones I listed saying it's a virus.

Edit to add: I would *not* label it not a problem, since it kind of is. If the file gets quarantined the mail server stops working. 
Neil Harvey Replied
1/11/2026 at 2:29 PM
Hi Derek,

Bitdefender endpoint is the AV engine.
Richard Laliberte Replied
1/11/2026 at 4:15 PM
I have to agree with David, even if it's a false positive, it should not be labeled as "not a problem" some of the largest AV providers in the world flag an SM dll as a virus, then that dll is doing something or is configured in a way that is causing all these AV's to flag it. 

if SM is working with some AV providers to determine the cause, then those providers should be able to say right away "this is why it's being flagged as false positive" and either SM should be able to modify the file / process slightly to avoid that false positive (preferred option I'm guessing from the community)  or at least post a breakdown from the AV provider which explains why it's being flagged and why it's false positive. 

just saying "o it's a false positive, move along" isn't an ideal answer, and some AV's will delete / quarantine the file and kill the service, which is a big problem. and just saying exempt the folder / file isn't a viable option for higher security clients, as it opens a potential exposure point (even in extremely unlikely)
S
SmP Replied
1/11/2026 at 4:28 PM
Microsoft Defender is marking the exe has a virus and seems to be doing so since December.
Jade B Replied
1/11/2026 at 8:55 PM
The list of antivirus vendors marking mailservice.dll as a threat is increasing, as per the CVE thread in which this was originally posted this dll was flagged by 8 vendors and is now up to 10.

Original virustotal report vs now
Jade B Replied
1/11/2026 at 11:06 PM
I've just had a hit on the following folder within C:\Program Files (x86)\SmarterTools\SmarterMail\Service\SNF

What is the purpose of having this on a smartermail installation?
R
Reto Replied
1/11/2026 at 11:40 PM
The SNF is for the Message Sniffer Antispam. I have the cmd batch file, but the two exe files I don't have on my install. 
Derek Curtis Replied
1/13/2026 at 10:34 AM
Employee Post Marked As Resolution
Regarding the DLL getting flagged, we figured it out, and the reason is kind of crazy: it was a code comment!

First off, the DLL itself getting flagged is a new one for us. We've had our installer get flagged, and the reason is always due to some change in how our installations are built using our Build tool. Nothing nefarious, just a change that various antivirus vendors don’t understand.

For this instance, we started digging through the code because nothing had really changed between builds that we could figure would raise any concern. Then, we checked the modifications we made to the documentation of our APIs, and go figure, it was a comment in text that was causing it to be flagged.

So, one code comment flagged the DLL. Kind of amazing. Just one more example of the difficulties we, and other software companies, face when delivering products. Virus scanners intermittently think there's a Trojan or virus in the product, but when it comes down to it, it's just a line of text.

We have modified the text to be slightly different, but we get the same message across to those using our APIs and documentation. We'll have a new Bulid this week with that change, and maybe a few other minor fixes.

Hope this helps alleviate any concerns and further supports our comments from time to time when our installers and/or builds get flagged. It’s becoming more and more common for us to need to work with various antivirus vendors and help them adjust their signatures and/or modify something on our end to work around it, like we did in this case.

EDIT: here's what VirusTotal now shows on a scan of the DLL
Derek Curtis CCO SmarterTools Inc. www.smartertools.com
Jade B Replied
1/14/2026 at 8:13 AM
Thanks for the feedback Derek, do appreciate it along with the transparency.

Im sure you can appreciate that we all were feeling a little sensitive given the circumstances and your response is welcomed.

I understand that developing software in today's day and age is challenging given all the hoops that you have to jump through but its part and parcel of running a business that operates online or sells to customers that operate online.

Will keep a look out for the next update.
J
Joe Payne Replied
1/14/2026 at 9:06 AM
Appreciate the detailed response Derek.

I am curious how that is possible since code comments are removed by the compiler when the source code is compiled.  And obfuscation would strip out even xml commenting (unless explicitly told not to do so).   Class attributes with hard-coded strings (known as metadata) might still be an issue though, the compiler must keep those.

At least that's how it works in my Visual Studio world.  Perhaps SM devs use something different.
Tim Uzzanti Replied
1/14/2026 at 9:23 AM
Employee Post
His reference to “comments” is slightly inaccurate. The text in question actually defines the API calls. When you visit our API page, you can see the available methods and how to use them. It was this text—specifically the documentation for a particular API call and its usage—that triggered the report.
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
J
Joe Payne Replied
1/14/2026 at 5:50 PM
Hi Tim, thanks for the quick response.  That does make more sense.  Sorry for the technicality - being a developer tends to make me notice little details.  Sometimes to a fault ;)
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Reducing ClamAV False PositivesSmarterMail > Troubleshooting
Microsoft Defender Antivirus and Virus Scanner ExceptionsSmarterMail > Troubleshooting
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Key Feature and Version Milestones in SmarterMailSmarterMail
Interactions Between Email Protocols, Servers and ClientsSmarterMail > Desktop and Mobile Synchronization