Bad advice?

[Dennis]

Over in alt.usenet.offline-reader.forte-agent (Forte Agent news/email
client) someone gave this advice:

Your Anti-Virus/ Anti-Spyware should Exclude Agents 'Data' directory from real
time scans and only 'ask' before fixing on manual scans.

This was in response to a question about Agent's data files getting
corrupted.

Is this good advice? Couldn't this leave the door open for malicious
attachments?

(Note: I use Avira 9)

 

[Alfred Matej]

Over in alt.usenet.offline-reader.forte-agent (Forte Agent news/email
client) someone gave this advice:


This was in response to a question about Agent's data files getting
corrupted.

Is this good advice? Couldn't this leave the door open for malicious
attachments?

(Note: I use Avira 9)

You'd have to manually set up exclusions. Avira would scan
Agent's network traffic, what it reads on the disk, and it
will scan when you actually look at the files. So unless
you have manually set up these exclusions, I wouldn't worry.
Even if you did and downloaded a file, Avira would still
scan it if you tried to open the file or used another program
to open it.

 

[Dennis]

You'd have to manually set up exclusions. Avira would scan
Agent's network traffic, what it reads on the disk, and it
will scan when you actually look at the files. So unless
you have manually set up these exclusions, I wouldn't worry.
Even if you did and downloaded a file, Avira would still
scan it if you tried to open the file or used another program
to open it.

But they are recommending that you set up the exclusions. So you are
saying that if I set up exclusions, Avira would let Agent write the
malicious attachment to disk? And Avira then would somehow catch it
later if I tried to detach it (via Agent) and run it?

 

[Alfred Matej]

But they are recommending that you set up the exclusions. So you are
saying that if I set up exclusions, Avira would let Agent write the
malicious attachment to disk? And Avira then would somehow catch it
later if I tried to detach it (via Agent) and run it?

Why do they want you to set up the exclusions? If I knew why I
could probably help you out a bit more.

For instance, when I have exclusions on my torrent software,
I can download a malicious file easily and my AV won't complain,
but if I go to the directory in explorer, my AV will detect it
through real-time scanning.

Oh one more thing, it is possible to set up an exclusion for a
whole directory. Instead of not scanning activity done by a
particular piece of software. I would not do this unless you have
a very good reason. Then the AV software will ignore everything
in that directory regardless.

 

[FredW]

But they are recommending that you set up the exclusions. So you are
saying that if I set up exclusions, Avira would let Agent write the
malicious attachment to disk? And Avira then would somehow catch it
later if I tried to detach it (via Agent) and run it?

Avira Antivir Free does not scan e-mails, but Avira Antivir Premium
(Paid) does, see comparison chart:
http://www.free-av.com/en/products/2/avira_antivir_premium.html
("Enhanced email protection for POP3 and SMTP")

- Why You Don't Need Your Anti-Virus Program to Scan Your E-Mail
http://thundercloud.net/infoave/tutorials/email-scanning/index.htm

 

[Alfred Matej]

Avira Antivir Free does not scan e-mails, but Avira Antivir Premium
(Paid) does, see comparison chart:
http://www.free-av.com/en/products/2/avira_antivir_premium.html
("Enhanced email protection for POP3 and SMTP")

- Why You Don't Need Your Anti-Virus Program to Scan Your E-Mail
http://thundercloud.net/infoave/tutorials/email-scanning/index.htm

The article talks about corrupt databases, I know thunderbird
gets around that. Didn't all the other major email clients start
putting mail in a separate file before it gets put in the
database in case a virus gets picked up?

 

[Dennis]

Oh one more thing, it is possible to set up an exclusion for a
whole directory. Instead of not scanning activity done by a
particular piece of software. I would not do this unless you have
a very good reason.

This is exactly what they are saying Agent users should do ... exclude
the directory where Agent keeps the .dat files which contain your email
(and attachments before being detached). The reason they recommend this
is because apparently there have been reports of .dat files being
corrupted by AV scanners. I don't know if this has actually been proven
to be true. I suppose this could be true is the AV software tried to
quarantine something while Agent had the file open.

Maybe they assume you are using AV software that also scans incoming
email (like AVG)?

Since I back up my email folder weekly, I will not exclude any folders
and not worry about Avira 9 corrupting my email files. If I lose a weeks
worth of email, so be it.

 

[FredW]

The article talks about corrupt databases, I know thunderbird
gets around that. Didn't all the other major email clients start
putting mail in a separate file before it gets put in the
database in case a virus gets picked up?

The article talks about data files and not database files.
Usually there is a data file per folder of you e-mail program.
And Thunderbird behaves just like all other e-mail clients.
(and does not "get around".)

I know of no e-mail program that puts an individual e-mail in a separate
file, before adding that email to a data file of e-mails.
(and the INbox is also a data file.)

 

[FredW]

This is exactly what they are saying Agent users should do ... exclude
the directory where Agent keeps the .dat files which contain your email
(and attachments before being detached). The reason they recommend this
is because apparently there have been reports of .dat files being
corrupted by AV scanners. I don't know if this has actually been proven
to be true. I suppose this could be true is the AV software tried to
quarantine something while Agent had the file open.

I have configured my Avira Antivir Scan/Archives not to scan Mailboxes
(last six entries of Archives.)

 

[Alfred Matej]

The article talks about data files and not database files.
Usually there is a data file per folder of you e-mail program.
And Thunderbird behaves just like all other e-mail clients.
(and does not "get around".)

I know of no e-mail program that puts an individual e-mail in a separate
file, before adding that email to a data file of e-mails.
(and the INbox is also a data file.)

In thunderbird, if you go into options ---> privacy --->
Antivirus, that option will download each message individually
into a separate file before the msg is stored into the database.
That was their solution to the problem.

 

[Dennis]

I have configured my Avira Antivir Scan/Archives not to scan Mailboxes
(last six entries of Archives.)

Forte Agent is not one of these.

 

[FredW]

In thunderbird, if you go into options ---> privacy --->
Antivirus, that option will download each message individually
into a separate file before the msg is stored into the database.
That was their solution to the problem.

In Tools/Options/Privacy/Anti-Virus is stated:
"Thunderbird can make it easy for anti-virus software to analyze
incoming mail messages for viruses before they are stored locally."

And then you can choose:
"Allow anti-virus clients to quarantine individual incoming messages"

Nowhere is said where the "incoming messages" are *temporarily* kept
(let alone in a separate file), before they are put in your IN-Box.

 

[FredW]

Forte Agent is not one of these.

Then add the Agent files if you want.
I use Agent only for newsgroups.
For e-mail I use Mozilla Thunderbird.

 

[Alfred Matej]

In Tools/Options/Privacy/Anti-Virus is stated:
"Thunderbird can make it easy for anti-virus software to analyze
incoming mail messages for viruses before they are stored locally."

And then you can choose:
"Allow anti-virus clients to quarantine individual incoming messages"

Nowhere is said where the "incoming messages" are *temporarily* kept
(let alone in a separate file), before they are put in your IN-Box.

It doesn't say that within Thunderbird, but it is discussed in
MozillaZine. Here is the link to the article:

http://kb.mozillazine.org/Download_each_e-mail_to_a_separate_file_before_adding_to_Inbox

 

[FromTheRafters]

Over in alt.usenet.offline-reader.forte-agent (Forte Agent news/email
client) someone gave this advice:

Always ask. Automatic actions other than ask are just asking for
trouble. Exclusions are of course up to you, but if everyone excluded
some known directory from malware scanning software - malware would soon
be written to take advantage of that situation.

This was in response to a question about Agent's data files getting
corrupted.

A case of AV scanning containers. (

Is this good advice? Couldn't this leave the door open for malicious
attachments?

Attachments would be scanned, when detached, by the on access scanner.
IOW when the active content is removed from the container and placed in
a file (or when said file is next accessed after the file had been
created).