MozillaZine

Talk:Email scanning - pros and cons

From MozillaZine Knowledge Base

See Talk:Antivirus software for a lot of earlier discussion pertinent to this article.

What to exclude from scanning: the profile folder, or the Inbox file plus other mailbox files?

One quick comment about the 2nd [now the 3rd] of the "basics of e-mail security": excluding TB's profile folder from scanning is NOT "the exact equivalent" of excluding OE's .dbx files. One is a directory, and one is a file type that can be specified by its extension. The closest equivalent would be excluding TB's Inbox, Junk, Sent, Drafts, and all other mailbox files, individually by name (since they cannot all be excluded by file extension). The Symantec link advocates excluding the Inbox, not any whole directory containing the Inbox. The distinction is not insignificant, since malware could land in the profile folder if, say, a user were for some reason to save an attachment there. It's unlikely, but possible. For this reason, I can't see that excluding the whole profile folder is sound security advice. --wintogreen 08:16, 22 October 2005 (PDT)

As far as i understand AV programs, even in the *very* unlikely event of someone trying to save an infected file in a folder excluded from autoprotect, this is not dangerous. First of all, the AV will probably not even let the user handle an infected file, i.e. save or copy and paste malware. Secondly, even if a folder is excluded from autoprotect, the AV will not let the user execute any malware that might be in the excluded folder. Excluding the folder from autoprotect only prevents the AV from jumping into action if the user accesses a folder with malware in it (e.g. malware saved for testing purposes), but it does not prevent autoprotect from disabling any attempt to execute a file found in the excluded folder. --American Finn 14:09, 30 October 2005 (PST)
If my experiment with NAV just now is any indication, then you are wrong. I downloaded the eicar_com.zip file to a folder on my computer. With the folder not excluded from autoprotect, NAV won't even let me unzip the file. But when the folder is excluded from autoprotect, I can do anything with that zip file and its contents. I can unzip it, creating the eicar.com "virus" file; I can copy/paste the eicar.com file anywhere within the excluded folder or its subfolders; and yes, I can even double-click on the eicar.com file to execute the virus. With that folder exlcuded from NAV's autoprotect, I appear to have no protection from malware inside it. I don't think it's good security advice to tell people to exclude a whole folder from autoprotect if doing so creates a safe haven for malware. --wintogreen 19:08, 30 October 2005 (PST)
Sounds very bad. The only thing i can say in my defense is that this is not what Symantec seems to be saying on the page i referred to in my original contribution to the AV article and that i also added the following words of caution in the original article:
Excluding the profile folder from autoprotect should only prevent your AV program from taking action on the mail folder, but it should still enable your AV program to prevent any virus from being activated should you try to open an infected attachment -- check with your AV program's manufacturer or test it using this harmless antivirus test file.
On the basis of your experiment, we need to change or at least temporarily remove the following section because especially the "coming out" (explanation for normal users of being loaded into memory) is apparently incorrect:
Many if not most AV programs are configured to not let their autoprotect function monitor Outlook Express’s mail files (.dbx) and to ignore them during system scans. Symantec suggests excluding the Inbox file from being scanned in order to keep it from becoming quarantined [2]. Excluding the Inbox file from autoprotect should only prevent your AV program from taking action on the mailbox file, but it should still enable autoprotect to prevent any virus from being activated if you try to open an infected attachment. (The reason for this is that the attachment has to “come out” of the mailbox file to be activated.) In addition to excluding the Inbox file from being scanned, you can similarly exclude other mailbox files (such as Sent, Templates, and Junk). Check with your AV program’s manufacturer for instructions or test it using this harmless antivirus test file. --American Finn
Having a closer look at my NAV here... it turns out that the .dbx files are excluded by default only from autoprotect, not from "manual" scans (that's the term used on my Japanese version of NAV; presumably that setting applies to full system scans). So, that statement needs to be fixed. The parenthetical explanation about "coming out" is still basically correct, I think, the idea being that the attachment isn't going to be harmful if it's still embedded in the mailbox file. Can you think of better wording? For now, I'll just fix the latter part of the first sentence. --wintogreen
It would seem that you as a Symantec customer could easily ask for an explanation of what they mean with the following quote from the above link:
"Excluding the inbox file from being scanned prevents the inbox file from being quarantined while still allowing a virus to be detected. When a virus is found in an opened email message, rather than during a scan or when downloading, the opened message can be safely quarantined--or deleted--without causing problems with the Inbox itself... For information on how to exclude files in Symantec AntiVirus, see... "
Could there be an exception for the eicar file, as illogical as that would be? --American Finn 02:39, 31 October 2005 (PST)
Hmm, what does that quote mean?! If I have time, I'll play around with NAV some more to see if it actually works as they say. What do you mean, though, about an exception for eicar? --wintogreen 04:17, 31 October 2005 (PST)
...I did some experimenting with eicar as an attachment to a message, and what I found is that with the entire profile folder excluded from autoprotect, NAV did absolutely nothing when I opened the message with the eicar attachment. Then again, it also did nothing when I opened the same message with the profile folder not excluded. However, with the profile folder excluded, if I tried to open the attachment, NAV stopped me from doing so. Apparenlty this is because when you try to open the attachment, it first gets saved to a temp directory outside the profile folder (c:\docs & settings\username\local settings\temp), and NAV seems to interrupt that save operation to the non-excluded temp directory. --wintogreen 19:41, 31 October 2005 (PST)
Unless my eyes are playing tricks on me, it would seem that Symantec has revised the above quote (the linked article now has a "last modified" date of 11/09/2005). Now it simply says "When you exclude the Inbox file, Symantec AntiVirus can still detect infected files when you open email messages. For directions on how to exclude files in Symantec AntiVirus, read..." Judging from the results of my experiment above, I assume that "can" means "might" rather than "will". --wintogreen 02:03, 1 December 2005 (UTC)

Revisions to the original article

OK, I've done some major editing on this article, including eliminating some entire sections. I hope you're not irked by my editing, American Finn, especially since I'm sure you put a lot of time into writing the whole article. I hacked off those sections because I agree with Guanxi's comment (in Talk:Antivirus software) that the article should not read like a treatise. It's much better, I think, if the article just contains the essential info that readers need in order to make a decision about email scanning, and not advocate a one-size-fits-all approach. The stuff about the AV industry is interesting, but it really doesn't add anything immediately useful to the article; it seems better suited to a blog or forum post rather than this knowledge base. As I noted in one of my edit summaries, if that info can be attributed to reliable outside sources, it would be better to just list those sources in an "External links" section at the end of the article. --wintogreen 23:03, 23 October 2005 (PDT)

Don't worry, i'm happy since the main point of the article is there, i.e. providing users with the rarely heard info about the danger and uselessness of email scanning both during and after downloading. I have no desire or need to have an article here that is as long as what i wrote -- it was only meant as a summary of the situation and was intended for severe editing and shortening. I had no time to edit and shorten it myself. However, i'm afraid many people will find the information as presented now quite strange and hard to follow/believe since there is none of the deleted background explaining why the AV industry has adopted this unnecessary and dangerous gimmick. There is also a need to explain why this info is almost never provided even in computer magazines. I will try to find links to reputable sites with the deleted info mentioned. --American Finn 14:09, 30 October 2005 (PST)
This actually following up on the last bit of our discussion in the other article's Talk page, but anyway, please have a look at my user talk page for a rough idea of how to reorganize this article. We'd have to insert "See below" comments in the upper part of the article in few spots, but overall I think it works better this way. What do you think? Feel free to play with it on my user talk page if you want. --wintogreen 06:40, 31 October 2005 (PST)

OK, an entire month passed without a peep from anyone, so I went ahead and changed the article according what was in my Talk page. --wintogreen 02:26, 1 December 2005 (UTC)