A question about virus scanning of client email files

A question about virus scanning of client email files
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
A question about virus scanning of client email files Al Dykes 08-01-2006
Posted by Al Dykes on August 1, 2006, 9:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
What happens in this scenario:

1. I have a good AV program that is at latest updates. It filters
email, message by message as they come in from a pop server.

2. I get an email message with an attachemnt that has a virus that is
not yet recognized by the AV program. It passes.

3. The message is appended to my TB Inbox, which is a huge file
with *ALL* my mail, including attachments.

4. My AV vendor discovers the virus and adds it to the next update.

5. My AV product does it's daily or weekly full system scan,
discovers the virus in the file that is my Inbox file.

If I ask the AV product to delete or quarantine the bug, can the AV
product parse the Inbox and just delete the infected attachment or
does it delete the file, and all my mail.


--
a d y k e s @ p a n i x . c o m

Don't blame me. I voted for Gore. A Proud signature since 2001

Posted by Art on August 1, 2006, 11:34 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On 1 Aug 2006 09:42:10 -0400, adykes@panix.com (Al Dykes) wrote:

>What happens in this scenario:
>
>1. I have a good AV program that is at latest updates. It filters
> email, message by message as they come in from a pop server.
>
>2. I get an email message with an attachemnt that has a virus that is
> not yet recognized by the AV program. It passes.
>
>3. The message is appended to my TB Inbox, which is a huge file
> with *ALL* my mail, including attachments.
>
>4. My AV vendor discovers the virus and adds it to the next update.
>
>5. My AV product does it's daily or weekly full system scan,
> discovers the virus in the file that is my Inbox file.
>
>If I ask the AV product to delete or quarantine the bug, can the AV
>product parse the Inbox and just delete the infected attachment or
>does it delete the file, and all my mail.

Not likely. The safe way to handle email attackments is to dispense
with them one way or another immediately. All unsolicted attackments
should be deleted right off the bat. Others should be Saved to a
test folder to be scanned later before deleting from within the email
app. That way no attackments are ever allowed to be stored in
your email archives and forgotten.

Give the Saved attackment file a few days before updating your
av and scanning it. That allows time for your av vendor to
hopefully add sigs for new and previously "unknown" malware.
There's no need for that silly nonsense about scanning email.
That's just a dumb marketing feature, and it's dangerous
because it lulls naive users into believing they are getting
some kind of added protection. Your only real protection is
to use your head and practice "safe hex".

Art
http://home.epix.net/~artnpeg

Posted by Al Dykes on August 2, 2006, 8:27 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>On 1 Aug 2006 09:42:10 -0400, adykes@panix.com (Al Dykes) wrote:
>
>>What happens in this scenario:
>>
>>1. I have a good AV program that is at latest updates. It filters
>> email, message by message as they come in from a pop server.
>>
>>2. I get an email message with an attachemnt that has a virus that is
>> not yet recognized by the AV program. It passes.
>>
>>3. The message is appended to my TB Inbox, which is a huge file
>> with *ALL* my mail, including attachments.
>>
>>4. My AV vendor discovers the virus and adds it to the next update.
>>
>>5. My AV product does it's daily or weekly full system scan,
>> discovers the virus in the file that is my Inbox file.
>>
>>If I ask the AV product to delete or quarantine the bug, can the AV
>>product parse the Inbox and just delete the infected attachment or
>>does it delete the file, and all my mail.
>
>Not likely. The safe way to handle email attackments is to dispense
>with them one way or another immediately. All unsolicted attackments
>should be deleted right off the bat. Others should be Saved to a

Thank you.

Now, can someone answer my question :-)

--
a d y k e s @ p a n i x . c o m

Don't blame me. I voted for Gore. A Proud signature since 2001

Posted by Art on August 2, 2006, 9:52 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On 2 Aug 2006 08:27:35 -0400, adykes@panix.com (Al Dykes) wrote:

>>On 1 Aug 2006 09:42:10 -0400, adykes@panix.com (Al Dykes) wrote:
>>
>>>What happens in this scenario:
>>>
>>>1. I have a good AV program that is at latest updates. It filters
>>> email, message by message as they come in from a pop server.
>>>
>>>2. I get an email message with an attachemnt that has a virus that is
>>> not yet recognized by the AV program. It passes.
>>>
>>>3. The message is appended to my TB Inbox, which is a huge file
>>> with *ALL* my mail, including attachments.
>>>
>>>4. My AV vendor discovers the virus and adds it to the next update.
>>>
>>>5. My AV product does it's daily or weekly full system scan,
>>> discovers the virus in the file that is my Inbox file.
>>>
>>>If I ask the AV product to delete or quarantine the bug, can the AV
>>>product parse the Inbox and just delete the infected attachment or
>>>does it delete the file, and all my mail.
>>
>>Not likely. The safe way to handle email attackments is to dispense
>>with them one way or another immediately. All unsolicted attackments
>>should be deleted right off the bat. Others should be Saved to a
>
>Thank you.
>
>Now, can someone answer my question :-)

I did! I said "not likely". You want that in more certain terms?
OK. Your goddam av won't be able to do anything with attackments
in your goddam TB inbox. Is that better?

Art
http://home.epix.net/~artnpeg

Posted by Beauregard T. Shagnasty on August 2, 2006, 10:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Art wrote:

> On 2 Aug 2006 08:27:35 -0400, adykes@panix.com (Al Dykes) wrote:
>
>>> Not likely. The safe way to handle email attackments is to dispense
>>> with them one way or another immediately. All unsolicted
>>> attackments should be deleted right off the bat. Others should be
>>> Saved to a
>>
>> Thank you.
>>
>> Now, can someone answer my question :-)
>
> I did! I said "not likely". You want that in more certain terms? OK.
> Your goddam av won't be able to do anything with attackments in your
> goddam TB inbox. Is that better?

Heh, beat me to it, Art. "Not likely" is a good answer. If the a-v is
not smart enough to detach an attachment in a long text file, well, thar
ya go...

In Thunderbird, (set to view all messages) click on the column heading
paperclip icon to sort by those with attachments, and delete the suspect
emails. Or, View > Sort by... > Size and pick them out that way.

--
-bts
-Warning: I brake for lawn deer

Similar ThreadsPosted
Email virus question December 4, 2007, 6:31 pm
BitDefender email client "connection reset by remote side" ...? October 1, 2006, 8:18 pm
Question about Symantec Client Security July 11, 2006, 3:11 pm
Scanning inside multi-part rar and zip files, unpack files January 29, 2008, 1:23 am
AVG Email scanning June 14, 2006, 9:19 pm
AVG Email scanning June 14, 2006, 9:19 pm
How to *know* AV program is scanning email? June 23, 2005, 6:18 am
Anyone know how I turn off email scanning with F Secure April 7, 2007, 10:55 pm
NAV - Disable outbound email scanning August 2, 2007, 5:17 am
Is this normal? Emails cannot be sent without disabling Norton email scanning July 13, 2006, 10:02 am

The site map in XML format XML site map

Contact Us | Privacy Policy