pro's/con's email

[gufus]

Hello, All!

Whets the pro's/con's to scanning email?

 

[FromTheRafters]

Hello, All!

Whets the pro's/con's to scanning email?

Pro = there is a very slight outside chance that a malware exploit that
attacks through the e-mail client itself will be stopped prior to
reaching any vulnerable code.

Con = it adds unnecessary overhead with too little to gain.

It can can cause delays that affect services (such as server time-outs
and possibly other race conditions) when it takes too long to scan an
item. The very slight chance above, would also apply to the scanner
software now that *it* is the software directly exposed to the incoming
data then *it* also has the slight outside chance that malware could be
written to exploit *it*.

 

[FromTheRafters]

Hi FromTheRafters,

15 Aug 10, FromTheRafters writes to gufus:


I thought about the scanner being exposed.

I'm remembering the decompression algorthms that were being attacked
some years ago. Add that to the new placement of the scanner, and
autoworms likely could have been written instead of just exploit based
trojans.

Exploits aside, it is often noted that malware within the e-mail
container would likely be caught by the AV's on access scanner once it
was removed from the container and about to be written to the disk as a
file. Some AVs might have different settings such as higher heuristics
allowance when the engine is involved in e-mail scanning (it *might*
catch what the on access scan *might* miss), so YMMV in that case.

I wouldn't bother with e-mail scanning myself, but there *are* advocates
(they probably have been listening to too many marketing types).

 

[(PeteCresswell)]

Per FromTheRafters:

I wouldn't bother with e-mail scanning myself, but there *are* advocates
(they probably have been listening to too many marketing types).

I had a machine totaled out by a particularly nasty virus (can't
recall the name) when the user managed to click the virus
warning's "Don't Do Anything" button - so now I'm a confirmed
believer.

 

[FromTheRafters]

Per FromTheRafters:

I had a machine totaled out by a particularly nasty virus (can't
recall the name) when the user managed to click the virus
warning's "Don't Do Anything" button - so now I'm a confirmed
believer.

Does an e-mail scanner alert get around the user's tendency to do such
silly things?

 

[Dustin]

Pro = there is a very slight outside chance that a malware exploit
that attacks through the e-mail client itself will be stopped prior
to reaching any vulnerable code.

Con = it adds unnecessary overhead with too little to gain.

It can can cause delays that affect services (such as server
time-outs and possibly other race conditions) when it takes too long
to scan an item. The very slight chance above, would also apply to
the scanner software now that *it* is the software directly exposed
to the incoming data then *it* also has the slight outside chance
that malware could be written to exploit *it*.

You forgot about the possibility of mailbox corruptions issues. Several
have been documented in the past with outlook/express and various
ANtivirus wanting to scan the email files...

 

[FromTheRafters]

You forgot about the possibility of mailbox corruptions issues.
Several
have been documented in the past with outlook/express and various
ANtivirus wanting to scan the email files...

I didn't forget, I just neglected to mention it specifically. )

 

[(PeteCresswell)]

Per FromTheRafters:

Does an e-mail scanner alert get around the user's tendency to do such
silly things?

Avast's does not.

However it pops a warning screen with the correct button
pre-selected and the screen is such that the user has to be
*really* intent on defeating it.

Dunno about options - logically there sb an option to disallow
"Ignore" by the user... but I have not checked.

 

[FromTheRafters]

Per FromTheRafters:

Avast's does not.

However it pops a warning screen with the correct button
pre-selected and the screen is such that the user has to be
*really* intent on defeating it.

Dunno about options - logically there sb an option to disallow
"Ignore" by the user... but I have not checked.

That's good, it shouldn't be made too easy for users to screw up. )

 

[(PeteCresswell)]

Per FromTheRafters:

That's good, it shouldn't be made too easy for users to screw up. )

But let me tell you.... Some of them try *really* hard..... -)

 

[Leythos]

Pro = there is a very slight outside chance that a malware exploit that
attacks through the e-mail client itself will be stopped prior to
reaching any vulnerable code.

Con = it adds unnecessary overhead with too little to gain.

I disagree with your CON - I've seen hundreds of computers that are
infected with email bots that, if a proper AV solution was installed and
updated, the malware would not have been able to email itself to others.

Additionally, we install firewall appliances that scan email inbound and
outbound for malware, before they reach the users computers, to remove
it.

 

[Leythos]

You forgot about the possibility of mailbox corruptions issues. Several
have been documented in the past with outlook/express and various
ANtivirus wanting to scan the email files...

I've used Outlook as an email client for more than a decade, always had
email scanning enabled, and never had an issue with it. We have
thousands of systems using outlook (never used OE) and scan email at the
local client level as well as the servers/firewall, never had a corrupt
Outlook.

Yes, I know that it happens, but I believe it's happening when a person
uses a crappy AV solution and their machine is already screwed.

 

[gufus]

Hello, Leythos!

You wrote on Wed, 18 Aug 2010 08:06:58 -0400:

L> I've used Outlook as an email client for more than a decade, always had
L> email scanning enabled, and never had an issue with it. We have

Me too... well may not a /decade/

I'm not that old, I've decided to keep email scanning enabled.