Doesl anti-virus program using LSP still monitor e-mail on non-standard ports?

[Vanguard]

When I used Norton AntiVirus (NAV), it ran as a transparent proxy
(ccApp.exe) to monitor e-mail traffic. However, it was fixed as to
which ports it would monitor; i.e., it monitored the standard ports (110
for POP3 and 25 for SMTP). If I switch to different ports, which is
usually required for SSL connects to mail servers (995 for POP3 and 465
for SMTP), NAV would not monitor e-mail traffic. The e-mail traffic was
using different ports than NAV was monitoring. No big deal but the
effect is disabling e-mail scanning and some folks might want that
feature. I believe Avast! lets the user configure that product as to
which ports it will monitor (just something I read in another user's
post), so it will monitor e-mail traffic even when using non-standard
ports.

I'm now using Computer Associates' EzAntivirus (their rebranded
Inoculate product). It inserts its layered service provider (LSP)
interceptor into the TCP chain. What I'm wondering is if that means it
will monitor e-mail traffic no matter which port it uses. Since it
inserted its interceptor into the TCP layer to monitor all traffic, I
would think its interceptor would also monitor any e-mail traffic.

--

 

[Dave English]

When I used Norton AntiVirus (NAV), it ran as a transparent proxy
(ccApp.exe) to monitor e-mail traffic. However, it was fixed as to
which ports it would monitor; i.e., it monitored the standard ports
(110 for POP3 and 25 for SMTP). If I switch to different ports, which
is usually required for SSL connects to mail servers (995 for POP3 and
465 for SMTP), NAV would not monitor e-mail traffic.

Hmm, SSL, there's the rub!

The e-mail traffic was using different ports than NAV was monitoring.
No big deal but the effect is disabling e-mail scanning and some folks
might want that feature. I believe Avast! lets the user configure that
product as to which ports it will monitor (just something I read in
another user's post), so it will monitor e-mail traffic even when using
non-standard ports.

I'm now using Computer Associates' EzAntivirus (their rebranded
Inoculate product). It inserts its layered service provider (LSP)
interceptor into the TCP chain. What I'm wondering is if that means it
will monitor e-mail traffic no matter which port it uses. Since it
inserted its interceptor into the TCP layer to monitor all traffic, I
would think its interceptor would also monitor any e-mail traffic.

I don't know the answer to your specific question about ports, sorry.

But it seems to me that if you are collecting e-mail using SSL, then
nothing in the TCP chain is going to be able to scan it. To do so, it
would have to act as a man in the middle. The only way it can do that
is to accept your own SSL session & then perform its own to the server,
not impossible - but very difficult to do without undermining your
confidence in your SSL.

Others may know better ;-)

 

[Vanguard]

Hmm, SSL, there's the rub!


I don't know the answer to your specific question about ports, sorry.

But it seems to me that if you are collecting e-mail using SSL, then
nothing in the TCP chain is going to be able to scan it. To do so, it
would have to act as a man in the middle. The only way it can do that
is to accept your own SSL session & then perform its own to the
server, not impossible - but very difficult to do without undermining
your confidence in your SSL.

Others may know better ;-)

I forgot about the SSL (on 465 and 995 which are typical ports for SSL
connects). Yeah, it's not like I'm sticking sTunnel between the e-mail
client and the mail server.

However, I do run e-mail clients and proxies that use non-standard ports
and maybe the LSP used by EzAntiVirus will monitor the non-encrypted
traffic.