Re: Do not turn off email scanning

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: N. Miller (nsm_at_blackhole.aosake.net)
Date: 03/15/04 

Date: Mon, 15 Mar 2004 00:47:27 -0800

Assuming that, because MSOE 6 places the "Reply to Sender" and "Reply to
Group" buttons so close together that you hit the first by accident, instead
of the second, I am going to post your message. From the headers of your
email message:

References: <kv75c.10139$MV1.9301@newssvr27.news.prodigy.com>
<MPG.1abeacf469d37e26989dea@msnews.microsoft.com>

----- Original Message -----
In e-mail Message-ID: <009601c40a40$c8981010$2602a8c0@brutus>,
Please@NoSpamWanted.yuk says...

> In article <MPG.1abeacf469d37e26989dea@msnews.microsoft.com>,
> nsm@blackhole.aosake.net says...

> > And how, pray tell us, does one "accidentally" forward an infected
> > message?

> Receiving an infected message and reading it does not guarantee that an
> attachment will be detected by antivirus software, even though that
> antivirus software would normally detect the infection as soon as the
> attachment was opened.

No kidding. The virus scanner will alert when the attachment is manipulated,
not when the message is opened. With the exception of MSOE versions through
5.5 lacking a couple of critical patches, and an MSIE 6 upgrade which was
not patched in the correct manner, leaving the user with an unpatched
version of MSOE 5.x instead of MSOE 6, opening a message in MSOE should not
activate a virus in most cases. I think the Declude AV site has some
examples of vulnerabilities still haunting MSOE, though.

> The attachment is still encoded within the message,
> it is not yet a decoded and saved file. Typical encoding is done in base64.
> It is not decoded until the attachment is saved. So there is no decoded file
> for the antivirus software to automatically scan, it might as well be a
> password protected zip file for all the good file level antivirus scanning
> will do. Email scanning does the necessary decoding to detect an infection
> before it becomes an executable file saved on a HDD.

Except that NAV 2003 failed to do that on at least one of the Declude tests.
You can test your AVG against them here:

http://www.declude.com/tools/mailsend.html

I doubt if your AVG will fare better. I couldn't get results on five of the
first sixteen because my ISP has mail scanning in place, and cleaned them
up. NAV 2003 only cleaned four of the remaining eleven. I doubt if AVG will
be better.

And how does the NAV 2003, or even the AVG, for that matter, scanning engine
do what you claim without writing to disk? The retail (consumer) versions of
these AV programs use the same engine for mail scanning as they do for on
access and on demand scanning. I've had to wait for NAV 2003 to finish
scanning so I could regain the focus of another window I was working in
during a mail scan; watching the disk churn during the mail scan. That is
the reason that the AV mail scanning causes problems for mail clients.
Acting as a proxy, and taking enough time to cause a client, like MSOE, to
think that the server is unresponsive.

> Human fraility is how an attachment can be accidently forwarded. Someone
> doesn't notice, or just forgets while reading something especially
> interesting in the infected message, and decides on impulse to forward the
> email to a friend. Oops.

I have never seen anything of interest that I would want to forward in a
viral email. Usually just a poorly written attempt at social engineering,
designed to lull some gullible user into running the attached file.

> > The steps necessary to forward a message are many, and must be
> > deliberately taken.

> That comment is non sequitur. The mechanics of how to forward an email has
> nothing to do about the decision to do so and any unintended human oversight
> the action may cause.

The decision to forward an e-mail is not either "accidental", or even
"unintentional". It requires deliberate forethought, and a conscious act of
will to take the steps necessary to forward an email. Anybody so willful as
to forward a message is not going to be protected against himself for
reasons I have already cited.

> > Turning off the virus scanner won't lower your protection in the
> > least.

> I'm tired of hearing that assertion because that comment is also non
> sequitur and out of context. I'm saying that turning off email scanning can
> be the cause of not knowing that an infected message is being forwarded to
> someone else. Absolutely no scanning was done and so no notice was possible
> before the email was sent.

It is not either a 'non sequitur', nor out of context. One should always
handle attachments with care. Anybody who blindly clicks on messages with
attachments without careful handling, relying on his AV scanner to bail him
out, is going to get infected. Sooner, or later. Just a week ago I received
an unsolicited email with an attachment. My scanner did not alert on a
threat when I saved the attachment to disk; even though the definitions were
less than 48 hours old. I went to the AV vendor site and found a newer
definition file; downloaded it and tried again. With a definition file less
than 12 hours old that file still scanned clean. So I should trust my AV and
go ahead and forward that file to somebody?

Not on your life. Even with the latest definitions, I thought something was
fishy, so I learned the procedures to submit suspicious files to my AV
vendor. I didn't need an AV scanner to be careful of the attachment; and my
AV vendor responded in under 10 minutes that the file I submitted was a
Trojan dropper. Relying on your scanner is false security, if you don't
think about what you are doing. If you do think about it, you won't be
forwarding dicey email messages.

> > OTOH, trusting your virus scanner because its definitions are only hours
> > old, and it failed to find a threat in that unsolicited attachment you
> > just received, is stupid.

> It's better than nothing. Intentionally not implementing all possible
> protection is very stupid.

Intentionally forwarding email without checking what it is isn't stupid?

> > I refuse to trust my virus scanner for negative results
> > on an attachment scan. It saved my bacon early last week; less then twelve
> > hours after Norton released the March 9, 2004 definitions, NAV failed to
> > find a threat in an attachment I received. I might as well not have had an
> > AV program at all, as one that wouldn't bark.

> Might as well not have an operating system if it hasn't been updated to
> protect against all existing (and let's not forget potential) compromisers
> then, by that argument.

You called a couple of my statements "non sequiturs", but that non sector
takes the cake. You might as well not have a computer if you don't have an
operating system! Without an operating system all you have is a very
expensive doorstop.

> It takes time, even if only hours, for defenses to
> be put into place for something unexpected. Then it has to be implemented
> instead of ignored.

I did the best I could do with what was available.

> Nothing is perfect or instantanious.

Exactly! But people who come to rely on their AV will, sooner or later, be
infected.

> That's no reason to
> not use either an antivirus system, or an operating system. Mitigate
> potential damages the best that you can.

An on access virus scanner will work as well as a mail scanning system, if
the operator doesn't blindly try to manipulate attachments. Had I a mail
scanning AV when I got that Trojan dropper, I'd not have had any warning
that the file was infected.

> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.622 / Virus Database: 400 - Release Date: 13-Mar-04

> > Lovely advertisement; should I trust it?

> No. Implement your own security and implement it as tightly as possible.
> It's a never ending job.

I must have forgotten the sarcasm tags. :p

> But at least thereby that advertisement know that
> I'm trying my best to be a responsible netcitizen by doing what I can to
> assure that my emails are not infected when they leave my computers. That's
> the intent, anyway.

It is an advertisement; it means nothing more because anybody can add such a
signature. Indeed, for "social engineering" purposes, such a signature would
have great value in convincing the gullible to do something rash. The
everybody with any sense just sees lack of imagination.

> > See my comments above, and keep the
> > old aviator's remarks in mind; "In God we trust, everything else we
> > check".

> That's exactly what I do. I say check your emails with email scanning unless
> some system malfunction prevents doing so. And require that malfunctions be
> fixed.

None of my email clients have scanning enabled. NAV 2003 has scanning turned
off. I don't like the interruption it causes when I am working. But I am not
one to blindly run attachments from strangers, either. And I don't use a
vulnerable client; for either e-mail (I prefer Pegasus), or news (mostly use
Gravity). I have never been infected with a virus. I will never be infected
with a virus.

> > Why waste the space on an advertisement you aren't paid to offer when you
> > could come up with a real, or cute signature?

> Are you trying to derail this topic with multiple non sequitur and somewhat
> personal comments? I'll answer regardless.

Hardly; I am only commenting on the signature. I don't normally do that for
AVG sigs, or I'd never get anything else written. ;)

I am only trying to emphasize that reliance on the AV may lead to lax
practices otherwise.

> I already explained that, above. It's just my social statement of
> responsibilty being acknowledged. And it doesn't bother my OE at all. So if
> it started to bother it, and I had not just upgraded it, then it follows
> that the malfunction probably would not be its fault. No existing reason not
> to use it, but lots of reason to use it.

Funny thing. I used AVG for a while, until I hit a snag; some kind of
conflict with one of my older programs and AVG. I changed vendors.

> I could also have a sig, if I wanted one. For this forum, I usually do not.
> That's also my choice of a social statement. Isn't it self evident?

Hardly; I see a commercial plug of a product.

> > Norman
> > ~Win dain a lotica, En vai tu ri, Si lo ta
> > ~Fin dein a loluca, En dragu a sei lain
> > ~Vi fa-ru les shutai am, En riga-lint

> If you want me to understand that then please translate it to the language
> that this topic was started in. IMHO, it's the courteous thing to do.

The signature itself is just fluff. It isn't even a real language; being
made up for a show. Sometimes useful for a little levity.

"In the darkness the dragon wakes.
The dragon awakens
to a heart that is numbed with cold
the dragon takes..."

More, or less... 

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
Quantcast