why do i need an email scanner?

[RB]

I'm questioning why I need an email scanner. If the A/V program is doing
its job, doesn't it pick up on a virus once one is loose in your PC---as
happens if you open an infected email attachment ???

If so, why a need for an email scanner function? Or, is just one more layer
of protection?

 

[Beauregard T. Shagnasty]

I'm questioning why I need an email scanner. If the A/V program is
doing its job, doesn't it pick up on a virus once one is loose in
your PC---as happens if you open an infected email attachment ???

Safe hex practices should dictate that you save all attachments to a
"suspect" directory, and scan them first - before opening them. Even
if you were expecting them. Further, all the viruses I've seen in the
last few years are easily recognizable, just by viewing the subject
line, and certainly the body of the message. All it takes is some
logical thought.

If so, why a need for an email scanner function? Or, is just one
more layer of protection?

If you observe the above, you shouldn't. Outbound scanning is also
generally pointless, as all modern viruses propagate by using their
own SMTP engines, and do not attach themselves to your outgoing mail.

 

[Nick FitzGerald]

I'm questioning why I need an email scanner. If the A/V program is doing
its job, doesn't it pick up on a virus once one is loose in your PC---as
happens if you open an infected email attachment ???
Correct.

If so, why a need for an email scanner function? Or, is just one more layer
of protection?

Need?

Intelligent folk don't "need" an Email scanner (but then, they don't "need"
any other kind of virus scanner either).

Of course, if you use any standard (read "Microsoft or other IE-based") Email
client, web browser or the like you are so far up sh*t creek that an Email
virus scanner is going to seem necessary despite their many inadequacies.

All that said, some folks like the "comfort factor" of believing (quite
incorrectly) that a client-based Email virus scanner prevents them
"downloading" a virus.

 

[Nick FitzGerald]

Safe hex practices should dictate that you save all attachments to a
"suspect" directory, and scan them first - before opening them. Even
if you were expecting them. ...

Nothing "safe" about that at all. Have you forgotton that they are
_known_ virus scanners? A non-detection simply means that whatever
is not a known virus -- it could easily be a new, unknown virus...

... Further, all the viruses I've seen in the
last few years are easily recognizable, just by viewing the subject
line, and certainly the body of the message. All it takes is some
logical thought.

But, as so many of them have resulted in full-blown outbreaks, the
level of logicality necessary to prevent trouble from such things is
obviously somewhere above that available to all those who use the
Internet...

Don't use, or read, HTML email. <g>

HTML Email need not be a concern, so long as you are smart enough to use
a genuinely "safe" Email client...

... Outbound scanning is also
generally pointless, as all modern viruses propagate by using their
own SMTP engines, and do not attach themselves to your outgoing mail.

Huh???

Proper outbound scanning is done at the network traffic interception
level, so it matters not whether a self-mailing virus sends itself out
via your preferred Email client, some other Email client on your
machine or using its own SMTP engine. Proper, network level, scanning
will detetct that something is sending what appears to be SMTP traffic
and scan it (of course, if that "something" is a new virus, unknown to
your known virus scanner _and_ your scanner doesn't have some heuristic
detection mechanism like NAV's so-called "worm blocking", it will sail
past the scanner, but the scanner will at least do what it's designed
to do -- fail to detect unknown viruses...).

 

[Julian]

I'm questioning why I need an email scanner. If the A/V program is doing
its job, doesn't it pick up on a virus once one is loose in your PC---as
happens if you open an infected email attachment ???

If so, why a need for an email scanner function? Or, is just one more layer
of protection?

I 99% agree with you. It is not even one more layer of protection,
because it is the same virus scanner, so if it misses the worm on the
download, it will miss it when you save it to disk as well.

The one area an email scanner does protect against is HTML exploits that
use the scripting capability of the HTML rendering engine in Microsoft
Outlook and Outlook Express and don't need to save anything to disk to
do something malicious. But the best protection against that is not to
use Outlook or Outlook Express in the first place.

 

[--Mike]

Need?

Intelligent folk don't "need" an Email scanner (but then, they don't "need"
any other kind of virus scanner either).

Of course, if you use any standard (read "Microsoft or other IE-based") Email
client, web browser or the like you are so far up sh*t creek that an Email
virus scanner is going to seem necessary despite their many inadequacies.

All that said, some folks like the "comfort factor" of believing (quite
incorrectly) that a client-based Email virus scanner prevents them
"downloading" a virus.

Wait a second...I have seen client-based Email virus scanners stop and red
flag Email viruses before they were allowed to download. What exactly do
you mean by your last paragraph?

--Mike

 

[Beauregard T. Shagnasty]

Nothing "safe" about that at all. Have you forgotton
No.

that they are _known_ virus scanners? A non-detection simply means
that whatever is not a known virus -- it could easily be a new,
unknown virus...

Of course. Absolutely. But your statement also applies to *scanning*
mail as it arrives, which is what the OP was asking. "If so, why a
need for an email scanner function?" If it's not in the database, it
doesn't matter if you scan or not. Right?

But, as so many of them have resulted in full-blown outbreaks, the
level of logicality necessary to prevent trouble from such things
is obviously somewhere above that available to all those who use
the Internet...

Sure. "Ooh... I wonder what Bob sent me?" CLICK!

I did _not_ say the average bear actually already _has_ this level of
logicality. I suggested that one may consider using logical thought.

HTML Email need not be a concern, so long as you are smart enough
to use a genuinely "safe" Email client...

Tally up the number of users who don't ... ;-) Ahem, I notice you
are using OE. Why don't you have a genuinely "safe" one?

Reading in Plain Text also removes the chances of getting tagged by a
spammer as a real address, but that's another story.

Huh???

Proper outbound scanning is done at the network traffic
interception level, so it matters not whether a self-mailing virus
sends itself out via your preferred Email client, some other Email
client on your machine or using its own SMTP engine. Proper,
network level, scanning will detetct that something is sending what
appears to be SMTP traffic and scan it (of course, if that
"something" is a new virus, unknown to your known virus scanner

Back to that again... doesn't matter if you scan mail or not if the
virus is not in your database.

What exactly do you mean by "network traffic level?" On the user's
home computer? Or at the user's mail host? If you mean at the host,
that is also not what the OP was asking.

_and_ your scanner doesn't have some heuristic detection mechanism
like NAV's so-called "worm blocking", it will sail past the
scanner, but the scanner will at least do what it's designed to do
-- fail to detect unknown viruses...).

Your firewall should pick up unwanted outbound transmission as well.
If you have one. Heh, more logical thought.

 

[Nick FitzGerald]

Wait a second...I have seen client-based Email virus scanners stop and red
flag Email viruses before they were allowed to download. What exactly do
you mean by your last paragraph?

I mean exactly what it says.

To understand it, ask yourself "Where is the code that is doing the
scanning running?" Then ask yourself "Where _was_ the Email before it
was scanned and where must it have been for the client-side scanner to
actually be able to scan it?"

(My comment is not based on any sophistry revolving around cases
involving missed detections.)

 

[Julian]

Wait a second...I have seen client-based Email virus scanners stop and red
flag Email viruses before they were allowed to download. What exactly do
you mean by your last paragraph?

A client based scanner still needs to download the email before it can
scan it and decide whether it contains a virus. But if it "downloads" it
into memory or into some hidden temporary folder to scan it, and deletes
it if it contains a virus, then it is probably never downloaded as far
as most users are concerned.

 

[Greg R]

I 99% agree with you. It is not even one more layer of protection,
because it is the same virus scanner, so if it misses the worm on the
download, it will miss it when you save it to disk as well.

The one area an email scanner does protect against is HTML exploits that
use the scripting capability of the HTML rendering engine in Microsoft
Outlook and Outlook Express and don't need to save anything to disk to
do something malicious. But the best protection against that is not to
use Outlook or Outlook Express in the first place.

My isp is family online

However, I don’t like email scanners. Sorry, I don’t install the
email scanner anymore or I disable it. I cannot get through to my
relatives on aol. Aol and others thinks it coming from an open
proxy. Which in a since it does. So, it bounces them.

Also, another thing that could cause aol and others to think it coming
from an open proxy. If you isp scans your email and you have your
own email scanner.

Which my isp scans my email.


Greg R

 

[GSV Three Minds in a Can]

A client based scanner still needs to download the email before it can
scan it and decide whether it contains a virus. But if it "downloads"
it into memory or into some hidden temporary folder to scan it, and
deletes it if it contains a virus, then it is probably never downloaded
as far as most users are concerned.

Only if they are paying the phone bill, by the minute. 200 copies of
SWEN a day amount to a shedload of bytes. I much prefer solutions that
delete them at the ISP.

 

[Roger Wilco]

The one area an email scanner does protect against is HTML exploits that
use the scripting capability of the HTML rendering engine in Microsoft
Outlook and Outlook Express and don't need to save anything to disk to
do something malicious.

Don't HTML and *script have to exist as files in order to be fed to
their respective engines?

But the best protection against that is not to
use Outlook or Outlook Express in the first place.

Or set the clients up properly and keep them (endlessly) updated.

 

[Julian]

Only if they are paying the phone bill, by the minute. 200 copies of
SWEN a day amount to a shedload of bytes. I much prefer solutions that
delete them at the ISP.

I agree, but the OP asked about *client* based scanning.

 

[Julian]

Don't HTML and *script have to exist as files in order to be fed to
their respective engines?

No. Some of the script viruses use the script commands to create a file
on disk which is then executed (ISTR the Kak worm did this) but that's
another matter.

Or set the clients up properly and keep them (endlessly) updated.

Well, that's another option, but given that Firefox and Thunderbird are
perfectly good substitutes for IE and OE, why bother. In fact, I think
MS have locked down security now so there isn't much risk from these
script engines, but it's the people running old versions that have never
been updated that have the trouble. But then, many of them probably
don't run up-to-date AV software either.

 

[--Mike]

A client based scanner still needs to download the email before it can
scan it and decide whether it contains a virus. But if it "downloads" it
into memory or into some hidden temporary folder to scan it, and deletes
it if it contains a virus, then it is probably never downloaded as far
as most users are concerned.

I guess I'm not completely understanding what difference it would make, if
the result is that the virus is deleted. I don't think that most people are
going to care whether the virus is removed *before* being downloaded, or
*after* being downloaded, as long as the end result is that the virus is
removed. Perhaps I'm missing something here?

--Mike

 

[Roger Wilco]

I'm questioning why I need an email scanner. If the A/V program is doing
its job, doesn't it pick up on a virus once one is loose in your PC---as
happens if you open an infected email attachment ???

It should, but (proxy) scanning incoming e-mail for exploit code
destined for your vulnerable client could have its good points.

If so, why a need for an email scanner function?

Fluff you are convinced by the industry that you need. And the industry
is convinced by the competitor's increase in marketshare when they
offered the feature in their newest version. Give the people what they
want no matter how ridiculous it seems.

Or, is just one more layer
of protection?

Not even this in most cases, except as mentioed above.

 

[Nick FitzGerald]

"Beauregard T. Shagnasty" <[email protected]> to me:

Tally up the number of users who don't ... ;-) Ahem, I notice you
are using OE. Why don't you have a genuinely "safe" one?

I see you are a genuine idiot.

Did it not occur to you that I may only use OE for reading News?

And, OE can be made as safe as any other MUA _IF_ you know what you
are doing -- my comment about using a "genuinely safe Email client"
was aimed at those who cannot/will not do anything short of "install
and use" (i.e. not do any custom configuration beyond entering the
necessary Email service options to collect their mail).

What exactly do you mean by "network traffic level?" On the user's
home computer? Or at the user's mail host? If you mean at the host,
that is also not what the OP was asking.

You are clearly inadequately intellected to partake in meaningful
discussions of these issues...

I mean at the network traffic level _on the client_.

In simple terms, a proper client-side Email traffic scanner hooks into
the network stack at a very low level and monitors the traffic for
various tell-tale signs (TCP traffic to port 25 being a good one for
SMTP sending).

 

[Roger Wilco]

No. Some of the script viruses use the script commands to create a file
on disk which is then executed (ISTR the Kak worm did this) but that's
another matter.

So that's a 'yes' then?

Well, that's another option, but given that Firefox and Thunderbird are
perfectly good substitutes for IE and OE, why bother. In fact, I think
MS have locked down security now so there isn't much risk from these
script engines, but it's the people running old versions that have never
been updated that have the trouble.

This is probably true.

 

[David W. Hodgins]

I'm questioning why I need an email scanner. If the A/V program is doing

As others have mentioned, the file being scanned must be downloaded to your
pc, in order for the email scanner to scan it.

The main reason for using an email scanner, that checks the file before your
mail reading program sees it, is to prevent the attachment from being imported
into a database, that the av program cannot safely delete it from.

In the "distant" past, people occasionally lost all of their email, when the presence
of infected attachment was found inside the database.

Currently, most av programs will tell you the virus has been found, but that it
cannot delete it. You have to figure out which message the infected attachment
is in, and delete the message yourself.

Regards, Dave Hodgins

PS. Does anyone here know, how do you get a cat to stop insisting on sitting in front
of the monitor?<BG>

 

[Roger Wilco]

PS. Does anyone here know, how do you get a cat to stop insisting on sitting in front
of the monitor?<BG>

Double-sided sticky tape and ingenuity.