Outlook Express Irritating Cleanup Dialog

On Wed, 8 Jul 2009 09:30:40 -0500, Pete B wrote:

I know that's why it is called a zero-day virus, you're the one that emphasized
the term. Guess what? Day zero is past, and it is doubtful that any AV software
worth its salt has not been updated of that particular danger at this point.
Let me guess, though: you think that once the virus is in the AV databases,
it goes away never to be seen again; yeah, right, like that'll happen....

Silly boy. Virus writers are constantly writing new code in attempts to get
around the current AV definitions. It is like an arms race. Sooner, or
later, you are going to lose.

And here's an astounding, absolutely mind-blowing fact that you seem totally
oblivious of: NO virus or malware, of any kind or form, that has never been
seen before will be detected by ANY security system in the universe, NO MATTER
what the source of the attack.

Silly boy. That is exactly what I have been saying. What you seem to be
willfully ignoring is that virus writers are always working on the next
"zero day exploit".

Scanning emails detects such viruses, but most viruses come through web-based
attacks that do not involve email.

Silly boy. AV email scanning requires a Rube Goldberg kludge with MSOE, in
particular, tends to choke on. And is a redundant measure, to boot,
considering that the on-access, memory resident scanner will still alert on
the potential infection.

In any case, detecting the **source** of the attack is what matters, and
Kaspersky's and other AV software programs already do that, by detecting web
sources that are not certified safe to begin with, whether they are likely to
be infectious or not.

And they do so quite effectively without have to scan the email.

There are thousands of varieties of malware that are attacking PCs every hour ...

Cite, please. I don't see even tens of attacks per day against my PC.

But you go ahead and ignore the second largest source of viral attacks on the net
last year. Not me, I like to catch things BEFORE they do damage, not after the
damage is done.

Silly boy. E-mail borne viruses can't do any damage without active
participation of the user.

I will say it again: NOTHING you or anyone else said in this thread justifies
refraining from scanning incoming email traffic to my PC.

Silly boy. You can do any damned thing that pleases you. You can even call a
dog's tail a leg, if it pleases you: But that won't make a dog a five legged
creature.

For the rest of us, reality is all that matters.

But you go ahead and sit there in your little security blanket bubble doing nothing,
waiting until doomsday strikes.

It is you who is living inside a bubble. It may even burst on you some day.
One way, or the other.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

"N. Miller" wrote in message

On Wed, 8 Jul 2009 09:30:40 -0500, Pete B wrote:

....

I will say it again: NOTHING you or anyone else said in this thread
justifies refraining from scanning incoming email traffic to my PC.

Silly boy. You can do any damned thing that pleases you. You can even
call a dog's tail a leg, if it pleases you: But that won't make a dog
a five legged creature.

Silly is right. Aside from a few obvious but mostly irrelevant statement
you made and which I'm not commenting on, there certainly can be
considerable value to scanning incoming e-mails for viruses. It's
possible to catch them that way while they're still in buffers and
before they've even touched the hard drive which is infinitely more
efficient than waiting for them to trigger after they've landed on the
disk surface.

In fact, you've touched on sort of a pet peeve of mine: Scanning of
outgoing e-mails is something that can, not does, create situations
where e-mails can appear to have been sent but were in reality dropped
into the ether. It's an understood mechanism that's been described and
defined many times over by many people and easy to understand without a
lot of technical knowledge.
But ... the damage allegedly done by scanning incoming e-mails is not
well understood, is not a known mechanism, and nowhere does any web site
or paper I've ever found describe how and why an incoming e-mail can be
damaged or cause any damage to anything because an AV is scanning
incoming mails. There are some who claim anecdotal evidence of it
happening but not with any sureness or credibility that I can
understand. I've asked several times on various groups for someone to
explain the mechanism of the damage done to me, but no one to date can
do it.
I don't deny that it's possible, but I can't find anything that
proves the point, making me think that it is no more likely to occur
than any other file corruption anywhere else in a computer system.
I scan all of my incoming e-mails and always have since I gained the
ability to do so, and have never experienced a problem or I might have a
different opiniong. I monitor and receive e-mails from 12 different
accounts on a daily basis and depending on what's going on at any
specific time, that has been as high as 22 different accounts. That's
quite a few e-mails, so apparently at least in my case, it's not going
to be a problem, ever. As with scanning outgoing mails though, it's
possible for some people to also never experience the timing situation
that results in losing mails to the ether. In that direction it's all
timing dependent. Thus, I understand it could be "my case" that's never
going to have a problem, but ... I'd really love to know whether it's
just "my case" or all cases.
If anyone can provide any citation of the mechanism of scanning
incoming e-mails causing damage to anything, I would certainly
appreciate seeing it. Please, NOT the instructions to just turn off
e-mail scanning or "all" email scanning; I'm looking for verifiable,
credible information about how it happens, why it happens, and
basically, whether it really happens with incoming e-mails.

Woof! Sorry for the long tangent. To synopsize: Outgoing e-mails, yes,
scanning can definitely cause problems and it's well defined. But what
about with incoming? I suspect it creates no problem and all the
original hoopla was because many programs didn't separate in/out so you
use/kill both or nothing at all. Then the "myth" didn't keep up with
technology.

Regards,

Twayne



For the rest of us, reality is all that matters.

But you go ahead and sit there in your little security blanket
bubble doing nothing, waiting until doomsday strikes.

It is you who is living inside a bubble. It may even burst on you
some day. One way, or the other.

On Wed, 8 Jul 2009 18:31:43 -0400, Twayne wrote:

"N. Miller" wrote in message


On Wed, 8 Jul 2009 09:30:40 -0500, Pete B wrote:

...

I will say it again: NOTHING you or anyone else said in this thread
justifies refraining from scanning incoming email traffic to my PC.

Silly boy. You can do any damned thing that pleases you. You can even
call a dog's tail a leg, if it pleases you: But that won't make a dog
a five legged creature.

Silly is right. Aside from a few obvious but mostly irrelevant statement
you made and which I'm not commenting on, there certainly can be
considerable value to scanning incoming e-mails for viruses. It's
possible to catch them that way while they're still in buffers and
before they've even touched the hard drive which is infinitely more
efficient than waiting for them to trigger after they've landed on the
disk surface.

Do you realize that by the time your AV is scanning that attachment, it is
already on your hard drive? That is an unavoidable fact of life. Your AV
can't touch that attachment until after it is downloaded from the server.

But ... the damage allegedly done by scanning incoming e-mails is not
well understood, is not a known mechanism, and nowhere does any web site
or paper I've ever found describe how and why an incoming e-mail can be
damaged or cause any damage to anything because an AV is scanning
incoming mails. There are some who claim anecdotal evidence of it
happening but not with any sureness or credibility that I can
understand. I've asked several times on various groups for someone to
explain the mechanism of the damage done to me, but no one to date can
do it.

I've not scanned incoming email in years, so I don't have a way to examine
the mechanism. But I will begin with one common symptom: The email client
POP3 server name is changed from 'pop.server.com' to '127.0.0.1'. I've never
had the opportunity to examine the Advanced properties, to check the port
number, but I'll wager it is also changed: From '110' to 1110', or similar.

The mechanism is actually simple to guess at from that symptom. AV email
scanner interposes as a proxy, becoming a POP3 server in its own right,
listening on port 1110 for incoming connections, while interacting with the
actual mail server through port 110.

So MS Outlook Express connects with '127.0.0.1:1110' and waits for the POP3
transaction to proceed. AV scanner puts MSOE "on hold" while it connects
with 'pop.server.com:110', and downloads the email to a local temp folder on
the local HDD. Normal POP3 commands, so the server clears the mailbox, and
all the email is now in temp folder somewhere on the local HDD. AV now
starts scanning the contents of that temp folder. More time elapses than
MSOE expects, so MSOE throws up a "server not responding" error, and closes
the connection.

Now, if this had been the connection to the actual mail server, that server
would not delete any email from the mailbox, because the PO3 session did not
advance that far. But who knows what the AV "mail server" will do with the
temp files when the client closes the connection?

I scan all of my incoming e-mails and always have since I gained the
ability to do so, and have never experienced a problem or I might have a
different opiniong.

I can't say I have experienced corruption, but I have experienced oddness
that stopped when I stopped scanning the incoming email. Since the AV is
still running, whether it is scanning email, or not, it will alert on any
attempt to manipulate a malicious attachment. I've discovered that it is
damned hard to manipulate the EICAR file locally, for email tests, without
the AV barking. Not that EICAR is malicious: It is not, it is a text file,
which is included as a signature in AV scanners. The AV scanner is supposed
to recognize the signature of the EICAR file, and alert as if it was
malicious. So you can know the AV is actually doing its job. So, because
just moving the EICAR file around brings up alerts, I know the AV scanner
will alert when trying to manipulate an infected file.

Woof! Sorry for the long tangent. To synopsize: Outgoing e-mails, yes,
scanning can definitely cause problems and it's well defined. But what
about with incoming? I suspect it creates no problem and all the
original hoopla was because many programs didn't separate in/out so you
use/kill both or nothing at all. Then the "myth" didn't keep up with
technology.

OTOH, since, in my experience, the AV scanner barks whenever it encounters
an infected file, whether it is scanning email, or not, I have decided that
email scanning is, essentially, wasteful redundancy. I follow the "KISS"
principle: "Keep It Simple, Stupid". Email scanning violates "KISS", without
demonstrably enhancing protection. So I'll not be scanning incoming email.
At least until somebody can demonstrate how a virus can get past the local,
memory resident, on access scanner, if the email scanner doesn't catch it
first.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum