Re: Do not turn off email scanning

From: SomewhatAnonymous (Please_at_NoSpamWanted.yuk)
Date: 03/15/04 

Date: Mon, 15 Mar 2004 16:44:16 GMT

"N. Miller" <nsm@blackhole.aosake.net> wrote in message
news:MPG.1abf0d7da37498bc989df0@msnews.microsoft.com...
> Assuming that, because MSOE 6 places the "Reply to Sender" and "Reply to
> Group" buttons so close together that you hit the first by accident,
instead
> of the second, I am going to post your message. From the headers of your
> email message:

<sigh> You are correct, and I've moved the button location. In the heat of
typing, didn't notice the address right in front of my eyes. Did that
several times, all but yours bounced back as undeliverable and I then
reposted.

> ----- Original Message -----
> In e-mail Message-ID: <009601c40a40$c8981010$2602a8c0@brutus>,
> Please@NoSpamWanted.yuk says...
>
> > In article <MPG.1abeacf469d37e26989dea@msnews.microsoft.com>,
> > nsm@blackhole.aosake.net says...
>
> > > And how, pray tell us, does one "accidentally" forward an infected
> > > message?
>
> > Receiving an infected message and reading it does not guarantee that an
> > attachment will be detected by antivirus software, even though that
> > antivirus software would normally detect the infection as soon as the
> > attachment was opened.
>
> No kidding. The virus scanner will alert when the attachment is
manipulated,
> not when the message is opened. With the exception of MSOE versions
through
> 5.5 lacking a couple of critical patches, and an MSIE 6 upgrade which was
> not patched in the correct manner, leaving the user with an unpatched
> version of MSOE 5.x instead of MSOE 6, opening a message in MSOE should
not
> activate a virus in most cases. I think the Declude AV site has some
> examples of vulnerabilities still haunting MSOE, though.
>
> > The attachment is still encoded within the message,
> > it is not yet a decoded and saved file. Typical encoding is done in
base64.
> > It is not decoded until the attachment is saved. So there is no decoded
file
> > for the antivirus software to automatically scan, it might as well be a
> > password protected zip file for all the good file level antivirus
scanning
> > will do. Email scanning does the necessary decoding to detect an
infection
> > before it becomes an executable file saved on a HDD.
>
> Except that NAV 2003 failed to do that on at least one of the Declude
tests.
> You can test your AVG against them here:
>
> http://www.declude.com/tools/mailsend.html
>
> I doubt if your AVG will fare better. I couldn't get results on five of
the
> first sixteen because my ISP has mail scanning in place, and cleaned them
> up. NAV 2003 only cleaned four of the remaining eleven. I doubt if AVG
will
> be better.

It might not, and then it might. Missed or not, letting me (or one of my
customers) know when it does catch something is better than not knowing. In
2 cases at this shop we've upgraded a Symatec antivirus right in front of
the customer and ran it, it found nothing. Then (because subscription was
almost due and customer wanted a free utility) uninstalled it (a royal pain)
and installed AVG, updated it, ran it - and it found virus. In another case,
it could have been the other way around. I suspect the virus was just rather
new and not then yet addressed by the utility that didn't detect the virus.
I'll never really know. But that's not the issue of this topic that I'm
harping on. My point is simple: email scanning does have a purpose and it
should be used. A defective product, defective OS, personal preferences, and
so on ... those are not the issue and they do not invalidate what I'm
claiming. Bringing those things up in argument is indeed non sequitur to my
central purpose of this topic.

> And how does the NAV 2003, or even the AVG, for that matter, scanning
engine
> do what you claim without writing to disk? The retail (consumer) versions
of
> these AV programs use the same engine for mail scanning as they do for on
> access and on demand scanning. I've had to wait for NAV 2003 to finish
> scanning so I could regain the focus of another window I was working in
> during a mail scan; watching the disk churn during the mail scan. That is
> the reason that the AV mail scanning causes problems for mail clients.
> Acting as a proxy, and taking enough time to cause a client, like MSOE, to
> think that the server is unresponsive.

The email scan process of course writes to disk. I've no idea of the
internal processes, and that's not germane to the topic. Neither is the time
required a germane response; my answer can only be that the software chosen
is making demands upon hardware that can not execute fast enough -- get a
faster computer, change antivirus vendor, whatever. Don't ask a bycycle to
perform like a car. The time problem is not central to my argument that
email scanning does have a purpose and should be used except when some
malfunction requires otherwise and then only until the malfunction is
corrected.

> > Human fraility is how an attachment can be accidently forwarded. Someone
> > doesn't notice, or just forgets while reading something especially
> > interesting in the infected message, and decides on impulse to forward
the
> > email to a friend. Oops.
>
> I have never seen anything of interest that I would want to forward in a
> viral email. Usually just a poorly written attempt at social engineering,
> designed to lull some gullible user into running the attached file.

Well, there you have it: you have a clue. Most people do not! That's why the
problems occur and keep re-occuring. They just blindly click away, and send
entire webpages as a forward to their friends (who usually don't apprecite
it but have given up asking for it not to be done). Again, this has nothing
to do with this topic.

> > > The steps necessary to forward a message are many, and must be
> > > deliberately taken.
>
> > That comment is non sequitur. The mechanics of how to forward an email
has
> > nothing to do about the decision to do so and any unintended human
oversight
> > the action may cause.
>
> The decision to forward an e-mail is not either "accidental", or even
> "unintentional". It requires deliberate forethought, and a conscious act
of
> will to take the steps necessary to forward an email. Anybody so willful
as
> to forward a message is not going to be protected against himself for
> reasons I have already cited.

Oh, quit misquoting me. I didn't say forwarding of email is an accident, I
said without using email scanning the sending of a virus by forwarding could
be an accident because they didn't notice or chose not to even look at an
attachment (people do things that are not logical) before performing the
forwarding steps. It happens.

> > > Turning off the virus scanner won't lower your protection in the
> > > least.
>
> > I'm tired of hearing that assertion because that comment is also non
> > sequitur and out of context. I'm saying that turning off email scanning
can
> > be the cause of not knowing that an infected message is being forwarded
to
> > someone else. Absolutely no scanning was done and so no notice was
possible
> > before the email was sent.
>
> It is not either a 'non sequitur', nor out of context. One should always
> handle attachments with care.

Yes it is non sequitur. People DO NOT handle attachments with care (you do,
I do, many do, but the general public does not have that clue nad requires
that things be done automatically for them). That's why antivirus products
exist, people can not help clicking on everything that is clickable. They
just can not help it. And they don't want to hear about why they should be
carefull, either. Nonsensical, I know, but a truism anyway.

>Anybody who blindly clicks on messages with
> attachments without careful handling, relying on his AV scanner to bail
him
> out, is going to get infected. Sooner, or later.

No counter argument, your statement is a truism. But add the rest of the
story: they can not help themselves, they're going to get infected and
that's that. The only hope is that the computer can protect itself to some
degree against that human fraility.

>Just a week ago I received
> an unsolicited email with an attachment. My scanner did not alert on a
> threat when I saved the attachment to disk; even though the definitions
were
> less than 48 hours old. I went to the AV vendor site and found a newer
> definition file; downloaded it and tried again. With a definition file
less
> than 12 hours old that file still scanned clean. So I should trust my AV
and
> go ahead and forward that file to somebody?

No. Nothing is perfect. Kill the virus writer, do something to make you feel
better ... I've no answer because this is not a perfect universe. Probably
the same exact circumstances are now protected against by your antivirus
product. The only thing you can do is the best that can be done. Decreasing
security is a move in the wrong direction for all but the geeky. You see,
you are an informed geeky type, and that's to your advantage. Most people
don't even know what RAM stands for. You know how many of my customers think
that their web browser accessed email actually resides on their computer!?
You trust them to be as geeky as you?

> Not on your life. Even with the latest definitions, I thought something
was
> fishy, so I learned the procedures to submit suspicious files to my AV
> vendor. I didn't need an AV scanner to be careful of the attachment; and
my
> AV vendor responded in under 10 minutes that the file I submitted was a
> Trojan dropper. Relying on your scanner is false security, if you don't
> think about what you are doing. If you do think about it, you won't be
> forwarding dicey email messages.
>
> > > OTOH, trusting your virus scanner because its definitions are only
hours
> > > old, and it failed to find a threat in that unsolicited attachment you
> > > just received, is stupid.
>
> > It's better than nothing. Intentionally not implementing all possible
> > protection is very stupid.
>
> Intentionally forwarding email without checking what it is isn't stupid?

Yes, it is stupid. But the general public doesn't ahve a clue unless the
computer pops something up for them to blindly do a gleefull click upon.
That's life, that's the reality of human and computer relationships at this
point in history. YOU are an exception, it's good that you are. But it does
little to talk down the general public, they don't even understand the point
of the issues involved. Just accept it, and try to keep the ignorance from
negatively affecting your income potential.

> > > I refuse to trust my virus scanner for negative results
> > > on an attachment scan. It saved my bacon early last week; less then
twelve
> > > hours after Norton released the March 9, 2004 definitions, NAV failed
to
> > > find a threat in an attachment I received. I might as well not have
had an
> > > AV program at all, as one that wouldn't bark.
>
> > Might as well not have an operating system if it hasn't been updated to
> > protect against all existing (and let's not forget potential)
compromisers
> > then, by that argument.
>
> You called a couple of my statements "non sequiturs", but that non sector
> takes the cake. You might as well not have a computer if you don't have an
> operating system! Without an operating system all you have is a very
> expensive doorstop.

Without as much automated security as possible the typical customer or
client only has an expensive doorstop, too. That's why there's $ in this
area of work.

> > It takes time, even if only hours, for defenses to
> > be put into place for something unexpected. Then it has to be
implemented
> > instead of ignored.
>
> I did the best I could do with what was available.

Sure you did! I'm positive of that. That's all you can do. Beyond that, you
have to be geeky. Don't expect the typical customer to be geeky. Like
parents TRY to protect children, the geeky must TRY to protect their
customers and clients from the negative results of their own activities.

> > Nothing is perfect or instantanious.
>
> Exactly! But people who come to rely on their AV will, sooner or later, be
> infected.

And the point is? Do not use antivirus? Face it, the general public can not
rely on themselves to ward off problems, so the only thing left is automated
security. They must depend on it. And the more there is, the better the
chance you don't loose time doing fixes that make you shake your head about
why you're doing them.

> > That's no reason to
> > not use either an antivirus system, or an operating system. Mitigate
> > potential damages the best that you can.
>
> An on access virus scanner will work as well as a mail scanning system, if
> the operator doesn't blindly try to manipulate attachments. Had I a mail
> scanning AV when I got that Trojan dropper, I'd not have had any warning

An isolate case due to an imperfect universe, your antivirus vendor didn't
come up with a protection in time. Probably that protection is now available
from that vendor, though, so next time the same situation occurs you
probably can not have the same complaint. The ide is to mitigate as best as
possible. That's all that can be done. It should be done. Live the best life
you can, accidents (or call it what you wish) still will happen.

> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.622 / Virus Database: 400 - Release Date: 13-Mar-04
>
> > > Lovely advertisement; should I trust it?
>
> > No. Implement your own security and implement it as tightly as possible.
> > It's a never ending job.
>
> I must have forgotten the sarcasm tags. :p
>
> > But at least thereby that advertisement know that
> > I'm trying my best to be a responsible netcitizen by doing what I can to
> > assure that my emails are not infected when they leave my computers.
That's
> > the intent, anyway.
>
> It is an advertisement; it means nothing more because anybody can add such
a
> signature. Indeed, for "social engineering" purposes, such a signature
would
> have great value in convincing the gullible to do something rash. The
> everybody with any sense just sees lack of imagination.

I don't have a defined tag, I don't tell the utility to put that tagline in
there. Because it's the free version, it ads. The ones I've purchased for
other machines do not insert that ad. FWIW, I don't mind the ad. I think
it's a darn good product, but that's besides the point and just a personal
preference.

> > > See my comments above, and keep the
> > > old aviator's remarks in mind; "In God we trust, everything else we
> > > check".
>
> > That's exactly what I do. I say check your emails with email scanning
unless
> > some system malfunction prevents doing so. And require that malfunctions
be
> > fixed.
>
> None of my email clients have scanning enabled. NAV 2003 has scanning
turned
> off. I don't like the interruption it causes when I am working.

Sounds like a poorly written product, from what you say. Why do you allow it
instead of demanding that something less intrusive be used? You have no
choice because the clients are acting blindly like lemmings?

>But I am not
> one to blindly run attachments from strangers, either.

You are an exception, as I've pointed out above. In general, the public
simply can not help itself and will run attachemnts (if they notice that
they have one and know how to do something about it).

>And I don't use a
> vulnerable client; for either e-mail (I prefer Pegasus), or news (mostly
use
> Gravity). I have never been infected with a virus. I will never be
infected
> with a virus.

Not with Pegasus, I agree. But just think of your workload if all your
customers used Pegasus! Just about everyone who uses Pegasus is geeky. They
have to be.

> > > Why waste the space on an advertisement you aren't paid to offer when
you
> > > could come up with a real, or cute signature?
>
> > Are you trying to derail this topic with multiple non sequitur and
somewhat
> > personal comments? I'll answer regardless.
>
> Hardly; I am only commenting on the signature. I don't normally do that
for
> AVG sigs, or I'd never get anything else written. ;)
>
> I am only trying to emphasize that reliance on the AV may lead to lax
> practices otherwise.

Yes, I agree but point out that when it comes to the general public they
MUST rely on something. Else you're going to be busy re-fixing a lot more
than you do now. Education doesn't help, most are simply not geeky enough to
really understand what to you is clear cut and evident.

> > I already explained that, above. It's just my social statement of
> > responsibilty being acknowledged. And it doesn't bother my OE at all. So
if
> > it started to bother it, and I had not just upgraded it, then it follows
> > that the malfunction probably would not be its fault. No existing reason
not
> > to use it, but lots of reason to use it.
>
> Funny thing. I used AVG for a while, until I hit a snag; some kind of
> conflict with one of my older programs and AVG. I changed vendors.

An older one? I've yet to see such a thing happen with AVG, but anything is
possible. One bad apple spoils the entire barrel, eh. Will you dump XP
because it won't work with some older things (drivers not available)? Same
argument! Incompatabilities have always been an occasional nightmare. Stuff
happens.

> > I could also have a sig, if I wanted one. For this forum, I usually do
not.
> > That's also my choice of a social statement. Isn't it self evident?
>
> Hardly; I see a commercial plug of a product.

Me too, but I cann't help it unless I want to put up some $. I suppose I'll
do that for this computer, eventually. I do like the product.

> > > Norman
> > > ~Win dain a lotica, En vai tu ri, Si lo ta
> > > ~Fin dein a loluca, En dragu a sei lain
> > > ~Vi fa-ru les shutai am, En riga-lint
>
> > If you want me to understand that then please translate it to the
language
> > that this topic was started in. IMHO, it's the courteous thing to do.
>
> The signature itself is just fluff. It isn't even a real language; being
> made up for a show. Sometimes useful for a little levity.

And you complain about the my fluff, but just because it's an involuntary
ad! Hypocrite!!! :p

> "In the darkness the dragon wakes.
> The dragon awakens
> to a heart that is numbed with cold
> the dragon takes..."
>
> More, or less...
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint

Ok, there be dragons out there. Cute, now that you've educated me. <grin>
Have a nice day, Norman. (no sarcasm intended) 

---
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.622 / Virus Database: 400 - Release Date: 13-Mar-04