A question about virus scanning of client email files

[Al Dykes]

What happens in this scenario:

1. I have a good AV program that is at latest updates. It filters
email, message by message as they come in from a pop server.

2. I get an email message with an attachemnt that has a virus that is
not yet recognized by the AV program. It passes.

3. The message is appended to my TB Inbox, which is a huge file
with *ALL* my mail, including attachments.

4. My AV vendor discovers the virus and adds it to the next update.

5. My AV product does it's daily or weekly full system scan,
discovers the virus in the file that is my Inbox file.

If I ask the AV product to delete or quarantine the bug, can the AV
product parse the Inbox and just delete the infected attachment or
does it delete the file, and all my mail.

 

[Art]

What happens in this scenario:

1. I have a good AV program that is at latest updates. It filters
email, message by message as they come in from a pop server.

2. I get an email message with an attachemnt that has a virus that is
not yet recognized by the AV program. It passes.

3. The message is appended to my TB Inbox, which is a huge file
with *ALL* my mail, including attachments.

4. My AV vendor discovers the virus and adds it to the next update.

5. My AV product does it's daily or weekly full system scan,
discovers the virus in the file that is my Inbox file.

If I ask the AV product to delete or quarantine the bug, can the AV
product parse the Inbox and just delete the infected attachment or
does it delete the file, and all my mail.

Not likely. The safe way to handle email attackments is to dispense
with them one way or another immediately. All unsolicted attackments
should be deleted right off the bat. Others should be Saved to a
test folder to be scanned later before deleting from within the email
app. That way no attackments are ever allowed to be stored in
your email archives and forgotten.

Give the Saved attackment file a few days before updating your
av and scanning it. That allows time for your av vendor to
hopefully add sigs for new and previously "unknown" malware.
There's no need for that silly nonsense about scanning email.
That's just a dumb marketing feature, and it's dangerous
because it lulls naive users into believing they are getting
some kind of added protection. Your only real protection is
to use your head and practice "safe hex".

Art
http://home.epix.net/~artnpeg

 

[Al Dykes]

Not likely. The safe way to handle email attackments is to dispense
with them one way or another immediately. All unsolicted attackments
should be deleted right off the bat. Others should be Saved to a

Thank you.

Now, can someone answer my question

 

[Art]

Thank you.

Now, can someone answer my question

I did! I said "not likely". You want that in more certain terms?
OK. Your goddam av won't be able to do anything with attackments
in your goddam TB inbox. Is that better?

Art
http://home.epix.net/~artnpeg

 

[Beauregard T. Shagnasty]

I did! I said "not likely". You want that in more certain terms? OK.
Your goddam av won't be able to do anything with attackments in your
goddam TB inbox. Is that better?

Heh, beat me to it, Art. "Not likely" is a good answer. If the a-v is
not smart enough to detach an attachment in a long text file, well, thar
ya go...

In Thunderbird, (set to view all messages) click on the column heading
paperclip icon to sort by those with attachments, and delete the suspect
emails. Or, View > Sort by... > Size and pick them out that way.