"Frank Saunders, MS-MVP" <franks...@mvps.org> wrote in message
news:%23RHbLFh...@tk2msftngp13.phx.gbl...
> If the attachment has never been opened, there is nothing running that
would
> try to spread the attachment. Other anti-virus makers had to add it
because
> so many people wanted an anti-virus with this useless ability to screw up
> mail programs. Email scanning is nothing but a marketing ploy started by
> McAfee or Symantec (I forget which). It adds no protection whatsoever and
> slows down receiving and sending email, often causing problems.
Hi, Kath and Frank. This subject is worthy of its own topic and so I've spun
it off from its original source, where it was threading off topic.
I think the broken link that Kath referred to in another topic is at this
addresses near the bottom at
http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/65434372961d321d8825687f000003f8?OpenDocument&src=tr&Highlight=0,email,protection
Search for the words: Disabling email protection
What Symantec is saying at that link is what you (both) are saying, and I
don't argue with that. But what they are not directly saying at that link,
and what you (both) are not saying, but what I have pointed out, is that
email scanning prevents accidental spread of a virus that is still encoded
(say, in base64) via forwarding of an infected email, and so email scanning
does indeed have a very important purpose. Vendors don't offer email
scanning just on a whim, nor do they offer it needlessly. Forwarding is a
very common practice and an infection vector. With few exceptions, no one
wants to spread a virus but the major vector remains some accidental human
action that does exactly that, and the virus writers count on that human
frailty. Increasingly, virus writers seem to have financial cause to turn
machines into spamming zombies by any vector possible. A necessary part of
antivirus policy is to prevent the spread of virus, including a spread
caused by human frailty. Protecting one's own machine is not where
responsibility ends. Email scanning does help prevent accidental spreading
of compromisers.
Yes, until an email virus is decoded, saved as a file and then executed it
can not affect the computer that it is on - and at that point an up to date
antivirus software will indeed intervene. But there are plenty of scenarios
where an infected virus email may be accidentally forwarded (cc, bcc, fwd)
to a system that is not properly protected but which was, up to the point
where the recipient opens the attachment, not infected. The "separate layer
of protection" the above link refers to (email scanning) is one methodology
for mitigating such occurrences of remote zombie creation. The vector needs
protection against, and permanently turning it off [when not absolutely and
positively required for some purpose] is quite obviously dangerous, because
it really does open a potential infection vector.
One could make the argument that email scanning should only need be done on
the server side, and that clients should not need to worry about it. I would
agree with that argument (and our business practices that philosophy, but it
also implements station email scanning too because one just can not be too
safe). Yet there are others who argue that they are better off getting email
and handling potential infections themselves and they don't want an
important email lost or mangled because of 3rd party delivery interference.
Those people don't want their email interfered with in any way whatsoever
(governments come to mind as but one of many examples). They want to stop
(scan for) infected emails at their own doorstep and handle it as they see
fit, not as some other remote server operator sees fit to do.
But side-step all those issues with one undeniable observation: one can not
be too safe. There is no such thing as excessive protection. In fact there
is never enough protection in place: else virus, Trojans, etc. would not
cause the worldwide economical impact that they have and still do. It is one
thing to say to turn off email virus scanning for diagnostic purposes. It's
quite another, and very dangerous, thing to say or to infer that it has no
purpose or that it should not be used. It definitely does have purpose and
it should be used. The article at the above link does NOT infer that email
scanning should be permanently turned off or that it has no purpose; to say
so of Symantec or any other virus vendor is surely to misrepresent their
true positions and informational intent on the matter.
If email scanning causes problems due to poor vendor coding then it is in
the financial interest and the responsibility of the vendor to eliminate the
problem as soon as feasible. But if email scanning is causing a problem
where code is written in compliance with operating system manufacture's
specifications then the manufacture has a responsibility to address the
issue for product that is still being supported. I believe that historical
and current actions by operating system manufactures do exactly that, as the
issues have become discovered by any means. One has only to witness their
current efforts at improving system security to see that they take system
compromising activity very seriously. Of course they do since to do nothing,
or even to just not do enough, would ultimately lead to loss of market share
and under some extreme condition might present some sort of a liability
issue.
Don't turn off or otherwise lower system security, including email scanning,
unless it is absolutely necessary and even then only do so until the cause
of the necessity has been corrected by the vendor or the operating system
manufacture. It is not true that email scanning provides no additional
protection. It does have a purpose.
---
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.622 / Virus Database: 400 - Release Date: 13-Mar-04
<snip>
> Don't turn off or otherwise lower system security, including email scanning,
> unless it is absolutely necessary and even then only do so until the cause
> of the necessity has been corrected by the vendor or the operating system
> manufacture. It is not true that email scanning provides no additional
> protection. It does have a purpose.
And how, pray tell us, does one "accidentally" forward an infected message?
The steps necessary to forward a message are many, and must be deliberately
taken. Turning off the virus scanner won't lower your protection in the
least.
OTOH, trusting your virus scanner because its definitions are only hours
old, and it failed to find a threat in that unsolicited attachment you just
received, is stupid. I refuse to trust my virus scanner for negative results
on an attachment scan. It saved my bacon early last week; less then twelve
hours after Norton released the March 9, 2004 definitions, NAV failed to
find a threat in an attachment I received. I might as well not have had an
AV program at all, as one that wouldn't bark.
> ---
>
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.622 / Virus Database: 400 - Release Date: 13-Mar-04
Lovely advertisement; should I trust it? See my comments above, and keep the
old aviator's remarks in mind; "In God we trust, everything else we check".
Why waste the space on an advertisement you aren't paid to offer when you
could come up with a real, or cute signature?
--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
In other words, if you like it, live with it but don't attempt to justify
your practices to others who don't need them.
Antivirus screeners in fact, create problems for users. Many have a long
history (McAffee in particular) of damaging users stored messages and in
many cases deleting them without possibility of ever being retrieved.
Screen a few thousand messages on these Outlook Express newsgroups and you
might change your mind. If not, continue doing what ever pleases you. It
is after all, your money so it should be your choice. Good luck.
--
Jim Pickering, MVP-Outlook Express
Please reply only to newsgroup.
"SomewhatAnonymous" <Ple...@NoSpamWanted.yuk> wrote in message
news:kv75c.10139> Hi, Kath and Frank. This subject is worthy of its own
topic and so I've spun
> it off from its original source, where it was threading off topic.
>
> I think the broken link that Kath referred to in another topic is at this
> addresses near the bottom at
> http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/65434372961d321d8825687f000003f8?OpenDocument&src=tr&Highlight=0,email,protection
> Search for the words: Disabling email protection
>
<remainder snipped. Those who wish to read can jump back to the earlier
post>
> I refuse to trust my virus scanner for negative results
> on an attachment scan. It saved my bacon early last week; less then twelve
> hours after Norton released the March 9, 2004 definitions, NAV failed to
> find a threat in an attachment I received.
I want to clarify; it was "refusing to trust" the AV which saved my bacon.
Despite the "all clear", my suspicion was confirmed by no less an authority
than Norton, which analyzed by "clean" attachment after I followed their
submission instructions on their site.
For those who think to submit a suspicious file, please be sure that you
scanned the file with the *latest* available definitions for your program.
Manually download them from the site as soon as possible after receiving the
attachment. Only if your attachment scans clean with the latest available
definitions should you attempt to submit the attachment. Don't flood the
poor folks with last week's worms; they've already seen them, and created
the definitions to catch them.
> Sorry, but the arguments are specious at best and poorly thought out.
In what way have I fasified by presenting a deceptively attractive argument?
That is a strong accusation that needs to be supported by factual evidence.
>Email
> scanning is promoted by vendors simply because it makes users "feel good."
> It has no other useful purpose
Not true. In this thread I've clearly stipulated the benefit that email
scanning provides, and I've done so at a technical level. Where at a
technical level is the misinformation being claimed?
>and instead creates problems for users by
> creating timeouts with ISP's while waiting for the proxy to do its
> uneccesary and useless job.
That may be a faulty program. If so it needs to be corrected, or another
vendor product needs to be used. Or maybe the computer is being used beyond
its designed capacity (i.e. it's out of date and just not fast enough to do
what is being demanded of it). But all that has no bearing on the fact that
email scanning can indeed prevent accidental distribution of virus. And
that's the bottom line, no matter the side issues and gripes that are
brought up for discussion. That's the rock bottom facts.
>Since you discuss your practices, it's fine for
> you if you can live with it. Other users get tired of being disconnected
> from the servers while the program does its useless function.
Addressed in response by my last paragraph. Get better software or
get a faster computer. Or turn email scanning off and live with the
potential consequences. None of those things detracts from the real
fact that email scanning has a purpose and should be used.
> In other words, if you like it, live with it but don't attempt to justify
> your practices to others who don't need them.
I will attempt to communicates the real facts of a situation as I see them.
If the facts, excepting opinion, are in error then prove it at a technical
level. Otherwise you comment can mean little but peer support for an
invalid argument being presented by you and your peers in this group. Just
prove my statements incorrect at a technical level. You and others here
put your credentials up and make statements that I defy you and your
peers to show as being genuine Micrsoft policy. Do not tell me or others
what is permissible to attempt to justify. If you want to flash credentials
with statements then back it up. I've given my arguments as fact and
they've not been challenged directly. Only a lot of issue clouding and
personal insinuation has so far been offered against the facts I've
presented. Stop attacking me. Attack the facts that I've put forth, if
that can be done. Else admit being wrong.
> Antivirus screeners in fact, create problems for users. Many have a long
> history (McAffee in particular) of damaging users stored messages and in
> many cases deleting them without possibility of ever being retrieved.
The fact that a product is defective does not invalidate the need for the
functionality within a non defective version. Demand that the product work
correctly or that you be given a refund, or use a different product. Or if
necessary, get better hardware.
> Screen a few thousand messages on these Outlook Express newsgroups and you
> might change your mind. If not, continue doing what ever pleases you. It
> is after all, your money so it should be your choice. Good luck.
> --
> Jim Pickering, MVP-Outlook Express
> Please reply only to newsgroup.
You can not drive 190 miles per hour by pedaling a bycycle. It takes the
right
tool to do a job properly. If your software and/or hardware can not handle
the demands then address that issue. The issue I brought up has nothing to
do
with volume processing. It has only to do with why email scanning should be
done.
> <remainder snipped. Those who wish to read can jump back to the earlier
> post
There's a lot of talent here in this newsgroup. Well trained and
credentialed. Just
remember what those credentials do, and do not, stand for. When people see
them they naturally expect what they see associated with them to be factual.
The
talent is much appreciated by all. There's still a responsibility that goes
with it.
Be prepared to back up statements when a position is stubbornly held against
someone like me who insists you do not have Microsoft policy in your
defense.
Otherwise, just point me and others to that link at the Microsoft side.
References: <kv75c.10139$MV1....@newssvr27.news.prodigy.com>
<MPG.1abeacf46...@msnews.microsoft.com>
----- Original Message -----
In e-mail Message-ID: <009601c40a40$c8981010$2602a8c0@brutus>,
Ple...@NoSpamWanted.yuk says...
> In article <MPG.1abeacf46...@msnews.microsoft.com>,
> n...@blackhole.aosake.net says...
> > And how, pray tell us, does one "accidentally" forward an infected
> > message?
> Receiving an infected message and reading it does not guarantee that an
> attachment will be detected by antivirus software, even though that
> antivirus software would normally detect the infection as soon as the
> attachment was opened.
No kidding. The virus scanner will alert when the attachment is manipulated,
not when the message is opened. With the exception of MSOE versions through
5.5 lacking a couple of critical patches, and an MSIE 6 upgrade which was
not patched in the correct manner, leaving the user with an unpatched
version of MSOE 5.x instead of MSOE 6, opening a message in MSOE should not
activate a virus in most cases. I think the Declude AV site has some
examples of vulnerabilities still haunting MSOE, though.
> The attachment is still encoded within the message,
> it is not yet a decoded and saved file. Typical encoding is done in base64.
> It is not decoded until the attachment is saved. So there is no decoded file
> for the antivirus software to automatically scan, it might as well be a
> password protected zip file for all the good file level antivirus scanning
> will do. Email scanning does the necessary decoding to detect an infection
> before it becomes an executable file saved on a HDD.
Except that NAV 2003 failed to do that on at least one of the Declude tests.
You can test your AVG against them here:
http://www.declude.com/tools/mailsend.html
I doubt if your AVG will fare better. I couldn't get results on five of the
first sixteen because my ISP has mail scanning in place, and cleaned them
up. NAV 2003 only cleaned four of the remaining eleven. I doubt if AVG will
be better.
And how does the NAV 2003, or even the AVG, for that matter, scanning engine
do what you claim without writing to disk? The retail (consumer) versions of
these AV programs use the same engine for mail scanning as they do for on
access and on demand scanning. I've had to wait for NAV 2003 to finish
scanning so I could regain the focus of another window I was working in
during a mail scan; watching the disk churn during the mail scan. That is
the reason that the AV mail scanning causes problems for mail clients.
Acting as a proxy, and taking enough time to cause a client, like MSOE, to
think that the server is unresponsive.
> Human fraility is how an attachment can be accidently forwarded. Someone
> doesn't notice, or just forgets while reading something especially
> interesting in the infected message, and decides on impulse to forward the
> email to a friend. Oops.
I have never seen anything of interest that I would want to forward in a
viral email. Usually just a poorly written attempt at social engineering,
designed to lull some gullible user into running the attached file.
> > The steps necessary to forward a message are many, and must be
> > deliberately taken.
> That comment is non sequitur. The mechanics of how to forward an email has
> nothing to do about the decision to do so and any unintended human oversight
> the action may cause.
The decision to forward an e-mail is not either "accidental", or even
"unintentional". It requires deliberate forethought, and a conscious act of
will to take the steps necessary to forward an email. Anybody so willful as
to forward a message is not going to be protected against himself for
reasons I have already cited.
> > Turning off the virus scanner won't lower your protection in the
> > least.
> I'm tired of hearing that assertion because that comment is also non
> sequitur and out of context. I'm saying that turning off email scanning can
> be the cause of not knowing that an infected message is being forwarded to
> someone else. Absolutely no scanning was done and so no notice was possible
> before the email was sent.
It is not either a 'non sequitur', nor out of context. One should always
handle attachments with care. Anybody who blindly clicks on messages with
attachments without careful handling, relying on his AV scanner to bail him
out, is going to get infected. Sooner, or later. Just a week ago I received
an unsolicited email with an attachment. My scanner did not alert on a
threat when I saved the attachment to disk; even though the definitions were
less than 48 hours old. I went to the AV vendor site and found a newer
definition file; downloaded it and tried again. With a definition file less
than 12 hours old that file still scanned clean. So I should trust my AV and
go ahead and forward that file to somebody?
Not on your life. Even with the latest definitions, I thought something was
fishy, so I learned the procedures to submit suspicious files to my AV
vendor. I didn't need an AV scanner to be careful of the attachment; and my
AV vendor responded in under 10 minutes that the file I submitted was a
Trojan dropper. Relying on your scanner is false security, if you don't
think about what you are doing. If you do think about it, you won't be
forwarding dicey email messages.
> > OTOH, trusting your virus scanner because its definitions are only hours
> > old, and it failed to find a threat in that unsolicited attachment you
> > just received, is stupid.
> It's better than nothing. Intentionally not implementing all possible
> protection is very stupid.
Intentionally forwarding email without checking what it is isn't stupid?
> > I refuse to trust my virus scanner for negative results
> > on an attachment scan. It saved my bacon early last week; less then twelve
> > hours after Norton released the March 9, 2004 definitions, NAV failed to
> > find a threat in an attachment I received. I might as well not have had an
> > AV program at all, as one that wouldn't bark.
> Might as well not have an operating system if it hasn't been updated to
> protect against all existing (and let's not forget potential) compromisers
> then, by that argument.
You called a couple of my statements "non sequiturs", but that non sector
takes the cake. You might as well not have a computer if you don't have an
operating system! Without an operating system all you have is a very
expensive doorstop.
> It takes time, even if only hours, for defenses to
> be put into place for something unexpected. Then it has to be implemented
> instead of ignored.
I did the best I could do with what was available.
> Nothing is perfect or instantanious.
Exactly! But people who come to rely on their AV will, sooner or later, be
infected.
> That's no reason to
> not use either an antivirus system, or an operating system. Mitigate
> potential damages the best that you can.
An on access virus scanner will work as well as a mail scanning system, if
the operator doesn't blindly try to manipulate attachments. Had I a mail
scanning AV when I got that Trojan dropper, I'd not have had any warning
that the file was infected.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.622 / Virus Database: 400 - Release Date: 13-Mar-04
> > Lovely advertisement; should I trust it?
> No. Implement your own security and implement it as tightly as possible.
> It's a never ending job.
I must have forgotten the sarcasm tags. :p
> But at least thereby that advertisement know that
> I'm trying my best to be a responsible netcitizen by doing what I can to
> assure that my emails are not infected when they leave my computers. That's
> the intent, anyway.
It is an advertisement; it means nothing more because anybody can add such a
signature. Indeed, for "social engineering" purposes, such a signature would
have great value in convincing the gullible to do something rash. The
everybody with any sense just sees lack of imagination.
> > See my comments above, and keep the
> > old aviator's remarks in mind; "In God we trust, everything else we
> > check".
> That's exactly what I do. I say check your emails with email scanning unless
> some system malfunction prevents doing so. And require that malfunctions be
> fixed.
None of my email clients have scanning enabled. NAV 2003 has scanning turned
off. I don't like the interruption it causes when I am working. But I am not
one to blindly run attachments from strangers, either. And I don't use a
vulnerable client; for either e-mail (I prefer Pegasus), or news (mostly use
Gravity). I have never been infected with a virus. I will never be infected
with a virus.
> > Why waste the space on an advertisement you aren't paid to offer when you
> > could come up with a real, or cute signature?
> Are you trying to derail this topic with multiple non sequitur and somewhat
> personal comments? I'll answer regardless.
Hardly; I am only commenting on the signature. I don't normally do that for
AVG sigs, or I'd never get anything else written. ;)
I am only trying to emphasize that reliance on the AV may lead to lax
practices otherwise.
> I already explained that, above. It's just my social statement of
> responsibilty being acknowledged. And it doesn't bother my OE at all. So if
> it started to bother it, and I had not just upgraded it, then it follows
> that the malfunction probably would not be its fault. No existing reason not
> to use it, but lots of reason to use it.
Funny thing. I used AVG for a while, until I hit a snag; some kind of
conflict with one of my older programs and AVG. I changed vendors.
> I could also have a sig, if I wanted one. For this forum, I usually do not.
> That's also my choice of a social statement. Isn't it self evident?
Hardly; I see a commercial plug of a product.
> > Norman
> > ~Win dain a lotica, En vai tu ri, Si lo ta
> > ~Fin dein a loluca, En dragu a sei lain
> > ~Vi fa-ru les shutai am, En riga-lint
> If you want me to understand that then please translate it to the language
> that this topic was started in. IMHO, it's the courteous thing to do.
The signature itself is just fluff. It isn't even a real language; being
made up for a show. Sometimes useful for a little levity.
"In the darkness the dragon wakes.
The dragon awakens
to a heart that is numbed with cold
the dragon takes..."
More, or less...
Until the antivirus software vendors demonstrate that their programs no longer corrupt the OE message store, then we MVPs recommend that antivirus software be set not to scan emails, because of this history of email corruption.
Which would you prefer, loss of all your messages while being ensured that you are not infected or retention of all your messages while being ensured you are not infected?
Turn off email scanning.
steve
"SomewhatAnonymous" <Ple...@NoSpamWanted.yuk> wrote in message news:APb5c.38644$SD2....@newssvr25.news.prodigy.com...
"Steve Cochran" <scoc...@chattanooga.net> wrote in message news:uQELKFpC...@TK2MSFTNGP12.phx.gbl...
---
Outgoing mail is certified Virus Free.
Version: 6.0.624 / Virus Database: 401 - Release Date: 3/15/2004
<sigh> You are correct, and I've moved the button location. In the heat of
typing, didn't notice the address right in front of my eyes. Did that
several times, all but yours bounced back as undeliverable and I then
reposted.
It might not, and then it might. Missed or not, letting me (or one of my
customers) know when it does catch something is better than not knowing. In
2 cases at this shop we've upgraded a Symatec antivirus right in front of
the customer and ran it, it found nothing. Then (because subscription was
almost due and customer wanted a free utility) uninstalled it (a royal pain)
and installed AVG, updated it, ran it - and it found virus. In another case,
it could have been the other way around. I suspect the virus was just rather
new and not then yet addressed by the utility that didn't detect the virus.
I'll never really know. But that's not the issue of this topic that I'm
harping on. My point is simple: email scanning does have a purpose and it
should be used. A defective product, defective OS, personal preferences, and
so on ... those are not the issue and they do not invalidate what I'm
claiming. Bringing those things up in argument is indeed non sequitur to my
central purpose of this topic.
> And how does the NAV 2003, or even the AVG, for that matter, scanning
engine
> do what you claim without writing to disk? The retail (consumer) versions
of
> these AV programs use the same engine for mail scanning as they do for on
> access and on demand scanning. I've had to wait for NAV 2003 to finish
> scanning so I could regain the focus of another window I was working in
> during a mail scan; watching the disk churn during the mail scan. That is
> the reason that the AV mail scanning causes problems for mail clients.
> Acting as a proxy, and taking enough time to cause a client, like MSOE, to
> think that the server is unresponsive.
The email scan process of course writes to disk. I've no idea of the
internal processes, and that's not germane to the topic. Neither is the time
required a germane response; my answer can only be that the software chosen
is making demands upon hardware that can not execute fast enough -- get a
faster computer, change antivirus vendor, whatever. Don't ask a bycycle to
perform like a car. The time problem is not central to my argument that
email scanning does have a purpose and should be used except when some
malfunction requires otherwise and then only until the malfunction is
corrected.
> > Human fraility is how an attachment can be accidently forwarded. Someone
> > doesn't notice, or just forgets while reading something especially
> > interesting in the infected message, and decides on impulse to forward
the
> > email to a friend. Oops.
>
> I have never seen anything of interest that I would want to forward in a
> viral email. Usually just a poorly written attempt at social engineering,
> designed to lull some gullible user into running the attached file.
Well, there you have it: you have a clue. Most people do not! That's why the
problems occur and keep re-occuring. They just blindly click away, and send
entire webpages as a forward to their friends (who usually don't apprecite
it but have given up asking for it not to be done). Again, this has nothing
to do with this topic.
> > > The steps necessary to forward a message are many, and must be
> > > deliberately taken.
>
> > That comment is non sequitur. The mechanics of how to forward an email
has
> > nothing to do about the decision to do so and any unintended human
oversight
> > the action may cause.
>
> The decision to forward an e-mail is not either "accidental", or even
> "unintentional". It requires deliberate forethought, and a conscious act
of
> will to take the steps necessary to forward an email. Anybody so willful
as
> to forward a message is not going to be protected against himself for
> reasons I have already cited.
Oh, quit misquoting me. I didn't say forwarding of email is an accident, I
said without using email scanning the sending of a virus by forwarding could
be an accident because they didn't notice or chose not to even look at an
attachment (people do things that are not logical) before performing the
forwarding steps. It happens.
> > > Turning off the virus scanner won't lower your protection in the
> > > least.
>
> > I'm tired of hearing that assertion because that comment is also non
> > sequitur and out of context. I'm saying that turning off email scanning
can
> > be the cause of not knowing that an infected message is being forwarded
to
> > someone else. Absolutely no scanning was done and so no notice was
possible
> > before the email was sent.
>
> It is not either a 'non sequitur', nor out of context. One should always
> handle attachments with care.
Yes it is non sequitur. People DO NOT handle attachments with care (you do,
I do, many do, but the general public does not have that clue nad requires
that things be done automatically for them). That's why antivirus products
exist, people can not help clicking on everything that is clickable. They
just can not help it. And they don't want to hear about why they should be
carefull, either. Nonsensical, I know, but a truism anyway.
>Anybody who blindly clicks on messages with
> attachments without careful handling, relying on his AV scanner to bail
him
> out, is going to get infected. Sooner, or later.
No counter argument, your statement is a truism. But add the rest of the
story: they can not help themselves, they're going to get infected and
that's that. The only hope is that the computer can protect itself to some
degree against that human fraility.
>Just a week ago I received
> an unsolicited email with an attachment. My scanner did not alert on a
> threat when I saved the attachment to disk; even though the definitions
were
> less than 48 hours old. I went to the AV vendor site and found a newer
> definition file; downloaded it and tried again. With a definition file
less
> than 12 hours old that file still scanned clean. So I should trust my AV
and
> go ahead and forward that file to somebody?
No. Nothing is perfect. Kill the virus writer, do something to make you feel
better ... I've no answer because this is not a perfect universe. Probably
the same exact circumstances are now protected against by your antivirus
product. The only thing you can do is the best that can be done. Decreasing
security is a move in the wrong direction for all but the geeky. You see,
you are an informed geeky type, and that's to your advantage. Most people
don't even know what RAM stands for. You know how many of my customers think
that their web browser accessed email actually resides on their computer!?
You trust them to be as geeky as you?
> Not on your life. Even with the latest definitions, I thought something
was
> fishy, so I learned the procedures to submit suspicious files to my AV
> vendor. I didn't need an AV scanner to be careful of the attachment; and
my
> AV vendor responded in under 10 minutes that the file I submitted was a
> Trojan dropper. Relying on your scanner is false security, if you don't
> think about what you are doing. If you do think about it, you won't be
> forwarding dicey email messages.
>
> > > OTOH, trusting your virus scanner because its definitions are only
hours
> > > old, and it failed to find a threat in that unsolicited attachment you
> > > just received, is stupid.
>
> > It's better than nothing. Intentionally not implementing all possible
> > protection is very stupid.
>
> Intentionally forwarding email without checking what it is isn't stupid?
Yes, it is stupid. But the general public doesn't ahve a clue unless the
computer pops something up for them to blindly do a gleefull click upon.
That's life, that's the reality of human and computer relationships at this
point in history. YOU are an exception, it's good that you are. But it does
little to talk down the general public, they don't even understand the point
of the issues involved. Just accept it, and try to keep the ignorance from
negatively affecting your income potential.
> > > I refuse to trust my virus scanner for negative results
> > > on an attachment scan. It saved my bacon early last week; less then
twelve
> > > hours after Norton released the March 9, 2004 definitions, NAV failed
to
> > > find a threat in an attachment I received. I might as well not have
had an
> > > AV program at all, as one that wouldn't bark.
>
> > Might as well not have an operating system if it hasn't been updated to
> > protect against all existing (and let's not forget potential)
compromisers
> > then, by that argument.
>
> You called a couple of my statements "non sequiturs", but that non sector
> takes the cake. You might as well not have a computer if you don't have an
> operating system! Without an operating system all you have is a very
> expensive doorstop.
Without as much automated security as possible the typical customer or
client only has an expensive doorstop, too. That's why there's $ in this
area of work.
> > It takes time, even if only hours, for defenses to
> > be put into place for something unexpected. Then it has to be
implemented
> > instead of ignored.
>
> I did the best I could do with what was available.
Sure you did! I'm positive of that. That's all you can do. Beyond that, you
have to be geeky. Don't expect the typical customer to be geeky. Like
parents TRY to protect children, the geeky must TRY to protect their
customers and clients from the negative results of their own activities.
> > Nothing is perfect or instantanious.
>
> Exactly! But people who come to rely on their AV will, sooner or later, be
> infected.
And the point is? Do not use antivirus? Face it, the general public can not
rely on themselves to ward off problems, so the only thing left is automated
security. They must depend on it. And the more there is, the better the
chance you don't loose time doing fixes that make you shake your head about
why you're doing them.
> > That's no reason to
> > not use either an antivirus system, or an operating system. Mitigate
> > potential damages the best that you can.
>
> An on access virus scanner will work as well as a mail scanning system, if
> the operator doesn't blindly try to manipulate attachments. Had I a mail
> scanning AV when I got that Trojan dropper, I'd not have had any warning
An isolate case due to an imperfect universe, your antivirus vendor didn't
come up with a protection in time. Probably that protection is now available
from that vendor, though, so next time the same situation occurs you
probably can not have the same complaint. The ide is to mitigate as best as
possible. That's all that can be done. It should be done. Live the best life
you can, accidents (or call it what you wish) still will happen.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.622 / Virus Database: 400 - Release Date: 13-Mar-04
>
> > > Lovely advertisement; should I trust it?
>
> > No. Implement your own security and implement it as tightly as possible.
> > It's a never ending job.
>
> I must have forgotten the sarcasm tags. :p
>
> > But at least thereby that advertisement know that
> > I'm trying my best to be a responsible netcitizen by doing what I can to
> > assure that my emails are not infected when they leave my computers.
That's
> > the intent, anyway.
>
> It is an advertisement; it means nothing more because anybody can add such
a
> signature. Indeed, for "social engineering" purposes, such a signature
would
> have great value in convincing the gullible to do something rash. The
> everybody with any sense just sees lack of imagination.
I don't have a defined tag, I don't tell the utility to put that tagline in
there. Because it's the free version, it ads. The ones I've purchased for
other machines do not insert that ad. FWIW, I don't mind the ad. I think
it's a darn good product, but that's besides the point and just a personal
preference.
> > > See my comments above, and keep the
> > > old aviator's remarks in mind; "In God we trust, everything else we
> > > check".
>
> > That's exactly what I do. I say check your emails with email scanning
unless
> > some system malfunction prevents doing so. And require that malfunctions
be
> > fixed.
>
> None of my email clients have scanning enabled. NAV 2003 has scanning
turned
> off. I don't like the interruption it causes when I am working.
Sounds like a poorly written product, from what you say. Why do you allow it
instead of demanding that something less intrusive be used? You have no
choice because the clients are acting blindly like lemmings?
>But I am not
> one to blindly run attachments from strangers, either.
You are an exception, as I've pointed out above. In general, the public
simply can not help itself and will run attachemnts (if they notice that
they have one and know how to do something about it).
>And I don't use a
> vulnerable client; for either e-mail (I prefer Pegasus), or news (mostly
use
> Gravity). I have never been infected with a virus. I will never be
infected
> with a virus.
Not with Pegasus, I agree. But just think of your workload if all your
customers used Pegasus! Just about everyone who uses Pegasus is geeky. They
have to be.
> > > Why waste the space on an advertisement you aren't paid to offer when
you
> > > could come up with a real, or cute signature?
>
> > Are you trying to derail this topic with multiple non sequitur and
somewhat
> > personal comments? I'll answer regardless.
>
> Hardly; I am only commenting on the signature. I don't normally do that
for
> AVG sigs, or I'd never get anything else written. ;)
>
> I am only trying to emphasize that reliance on the AV may lead to lax
> practices otherwise.
Yes, I agree but point out that when it comes to the general public they
MUST rely on something. Else you're going to be busy re-fixing a lot more
than you do now. Education doesn't help, most are simply not geeky enough to
really understand what to you is clear cut and evident.
> > I already explained that, above. It's just my social statement of
> > responsibilty being acknowledged. And it doesn't bother my OE at all. So
if
> > it started to bother it, and I had not just upgraded it, then it follows
> > that the malfunction probably would not be its fault. No existing reason
not
> > to use it, but lots of reason to use it.
>
> Funny thing. I used AVG for a while, until I hit a snag; some kind of
> conflict with one of my older programs and AVG. I changed vendors.
An older one? I've yet to see such a thing happen with AVG, but anything is
possible. One bad apple spoils the entire barrel, eh. Will you dump XP
because it won't work with some older things (drivers not available)? Same
argument! Incompatabilities have always been an occasional nightmare. Stuff
happens.
> > I could also have a sig, if I wanted one. For this forum, I usually do
not.
> > That's also my choice of a social statement. Isn't it self evident?
>
> Hardly; I see a commercial plug of a product.
Me too, but I cann't help it unless I want to put up some $. I suppose I'll
do that for this computer, eventually. I do like the product.
> > > Norman
> > > ~Win dain a lotica, En vai tu ri, Si lo ta
> > > ~Fin dein a loluca, En dragu a sei lain
> > > ~Vi fa-ru les shutai am, En riga-lint
>
> > If you want me to understand that then please translate it to the
language
> > that this topic was started in. IMHO, it's the courteous thing to do.
>
> The signature itself is just fluff. It isn't even a real language; being
> made up for a show. Sometimes useful for a little levity.
And you complain about the my fluff, but just because it's an involuntary
ad! Hypocrite!!! :p
> "In the darkness the dragon wakes.
> The dragon awakens
> to a heart that is numbed with cold
> the dragon takes..."
>
> More, or less...
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint
Ok, there be dragons out there. Cute, now that you've educated me. <grin>
Have a nice day, Norman. (no sarcasm intended)
---
"Steve Cochran" <scoc...@chattanooga.net> wrote in message
news:uQELKFpC...@TK2MSFTNGP12.phx.gbl...
As Jim indicates, there is a history of antivirus software (most notably
McAfee and Norton) corrupting the entire message store. I've had people
email me dbx files (some several megabytes) that were completely full of
zeroes because of the actions of antivirus software. Imagine losing 3 years
of messages due to some defective antivirus program.
Until the antivirus software vendors demonstrate that their programs no
longer corrupt the OE message store, then we MVPs recommend that antivirus
software be set not to scan emails, because of this history of email
corruption.
Which would you prefer, loss of all your messages while being ensured that
you are not infected or retention of all your messages while being ensured
you are not infected?
Turn off email scanning.
steve
=====
I would prefer that the truth be told, instead of a generic blame being
broadcast by this or any other forum. If there's a problem with a vendor
product, tell the vendor and tell the user of it. Tell them to turn email
scanning off until the vendor fixes the problem, or tell them to switch
vendors. But don't tell them or infer that the problem is generic to all
vendors and that therefore it should be off in all cases and left off;
because that just isn't so, it's not Microsoft policy, and it lowers system
security. Leave email scanning on unless it is the cause of a current
problem, turn it back on after the problem is fixed.
BTW, thank you, Steve, for the civil response and for not attacking me via
off topic comments. I respect that a lot.
Have a great day.
--
Jim Pickering, MVP-Outlook Express
Please reply only to newsgroup.
"SomewhatAnonymous" <Ple...@NoSpamWanted.yuk> wrote in message
news:APb5c.38644$SD2....@newssvr25.news.prodigy.com...
> ----- Original Message -----
> From: "Jim Pickering" <ji...@mvps.invalid>
> Newsgroups: microsoft.public.windows.inetexplorer.ie6_outlookexpress
> Sent: Sunday, 14 March, 2004 6:51 PM
> Subject: Re: Do not turn off email scanning
>
>
>> Sorry, but the arguments are specious at best and poorly thought out.
<snipped>
>As Jim indicates, there is a history of antivirus software (most notably McAfee and Norton) corrupting the entire message store. I've had people email me dbx files (some several megabytes) that were completely full of zeroes because of the actions of antivirus software. Imagine losing 3 years of messages due to some defective antivirus program.
>
>Until the antivirus software vendors demonstrate that their programs no longer corrupt the OE message store, then we MVPs recommend that antivirus software be set not to scan emails, because of this history of email corruption.
>
>Which would you prefer, loss of all your messages while being ensured that you are not infected or retention of all your messages while being ensured you are not infected?
>
>Turn off email scanning.
I would argue the other direction -- At least with NAV, the "email
scanning" feature intercepts at the port level during the POP3 session
and stops the virus from ever getting into your DBX. There is zero
chance of DBX corruption.
What is dangerous is when a virus is stored in your DBX file, and the
virus scanner happens to find it there and attempts to clean it without
understanding the DBX structure.
That being said, I keep it off, I have neither the time nor the patience
and I can do a better job of not executing viruses then a virus scanner.
--
Nobody ever lost money underestimating the human intelligence.
-- P.T.Barnum
Again: unless the facts I've stated can be proven inaccurate then you and
your supportive friends in this group are just plain wrong. Just point me
and others at a Microsoft policy that supports the "advice" about just
turning off email scanning as a general policy and as regards all antivirus
vendor products, and that turning off email scanning does not lower security
POLICY in the general sense, and that email scanning serves no purpose
whatsoever. Stop attacking me, and start acting like MVP's, all of you. I
will not tolerate personal attack, no matter how nicely worded.
You all do an injustice to the internet community with this general stance
about not using email scanning. With a blanket advice to turn off email
scanning you MVP's who support that accuse all antivirus vendors of a bad
product that causes damage. Do they need to bring this matter up with
Microsoft? Individual and temporary cases of OE file damage is undeniable,
but as a general rule the accusation is false and damaging to antivirus
companies and to the general public. Email scanning does have a purpose, not
all antivirus vendors are guilty of providing email scanners that damage
Outlook Express files, and it should be used in all cases where it is not
being demonstrated to be a problem. Stop your baseless and damaging claims
against antivirus vendors.
"Jim Pickering" <ji...@mvps.invalid> wrote in message
news:uLspCOrC...@TK2MSFTNGP11.phx.gbl...
> "N. Miller" <n...@blackhole.aosake.net> wrote in message
> news:MPG.1abf0d7da...@msnews.microsoft.com...
> > Assuming that, because MSOE 6 places the "Reply to Sender" and "Reply to
> > Group" buttons so close together that you hit the first by accident,
> instead
> > of the second, I am going to post your message. From the headers of your
> > email message:
> <sigh> You are correct, and I've moved the button location. In the heat of
> typing, didn't notice the address right in front of my eyes. Did that
> several times, all but yours bounced back as undeliverable and I then
> reposted.
You didn't get a bounce? How does your MTA work? Not that my rejection was
deliberate; a misconfiguration of compliance in my MTA generated these log
entries on your MTA's first attempts:
> T 20040314 195204 40545201 Connection from 67.115.67.162
> T 20040314 195205 40545201 EHLO aaacomputers.biz
> E 20040314 195205 40545201 554 Get a real name; then we will talk.
> T 20040314 195205 40545201 Connection closed with 67.115.67.162, 1 sec. elapsed.
> E 20040314 200734 0 Connection from 67.115.67.162 refused because of short-term restriction.
Do you have any idea how many home users, with Trojanized computers, are
taken over by spammers, issuing "HELO Computer"? My compliance rule was
regex with "*computer*"; your email got through on a third try, after I
removed the asterisks. Of course that ".biz" TLD still looks a bit spammy,
and many administrators unceremoniously pitch any email message with the
.biz TLD anywhere in it.
> > Except that NAV 2003 failed to do that on at least one of the Declude
> > tests. You can test your AVG against them here:
> > http://www.declude.com/tools/mailsend.html
> > I doubt if your AVG will fare better. I couldn't get results on five of
> > the first sixteen because my ISP has mail scanning in place, and cleaned
> > them up. NAV 2003 only cleaned four of the remaining eleven. I doubt if
> > AVG will be better.
> It might not, and then it might. Missed or not, letting me (or one of my
> customers) know when it does catch something is better than not knowing. In
> 2 cases at this shop we've upgraded a Symatec antivirus right in front of
> the customer and ran it, it found nothing. Then (because subscription was
> almost due and customer wanted a free utility) uninstalled it (a royal pain)
> and installed AVG, updated it, ran it - and it found virus. In another case,
> it could have been the other way around. I suspect the virus was just rather
> new and not then yet addressed by the utility that didn't detect the virus.
> I'll never really know.
I hope your customer learned a lesson about the effectiveness of AV programs
in general; and didn't go away from that lesson thinking, "How odd that the
free AVG is better than the paid NAV".
> But that's not the issue of this topic that I'm
> harping on. My point is simple: email scanning does have a purpose and it
> should be used. A defective product, defective OS, personal preferences, and
> so on ... those are not the issue and they do not invalidate what I'm
> claiming. Bringing those things up in argument is indeed non sequitur to my
> central purpose of this topic.
I won't say that I am categorically opposed to email scanning; if it works
without breaking things, go ahead and use it. But when the cure is worse
than the disease...I pitched McAfee for that, and AVG. AVG just didn't work
at all; but McAfee! The AV did more damage than any virus I personally
witness. Never caught one myself; but cleaning up after McAfee was ten times
worse than cleaning up my girl friend's computer after Bugbear.
Your point, that email scanning serves some kind of purpose; well, it does
on a mail server. Although, I can't afford a proper server-side
implementation (Declude "Lite", the cheapest product for mail servers, is
$495? Yikes!). Although I left AVG on my patron's computer, and even left it
in mail scan mode, it is more for show, now. Sig is turned off, BTW, though
she doesn't make Usenet posts. Anyway, it has never scanned an infected
email in over a year. Not that she hasn't had any destined to her account,
but the Mercury Mail server AV Policy nails it. Most people, however, don't
run their own mail server.
But your central point hinges on a single point of failure, one which I am
trying to devise a test to check out; that mail scanning helps prevent
unintentional spread of viruses by scanning outbound email. It's a bit
tricky to set up because I need the on access scanner turned off for part of
the process, but on for another part. Knowing when to do which...if the on
access scanner won't even let the attachment leave with the message, that is
what I want to know.
> > And how does the NAV 2003, or even the AVG, for that matter, scanning
> > engine do what you claim without writing to disk? The retail (consumer)
> > versions of these AV programs use the same engine for mail scanning as
> > they do for on access and on demand scanning. I've had to wait for
> > NAV 2003 to finish scanning so I could regain the focus of another window
> > I was working in during a mail scan; watching the disk churn during the
> > mail scan. That is the reason that the AV mail scanning causes problems
> > for mail clients. Acting as a proxy, and taking enough time to cause a
> > client, like MSOE, to think that the server is unresponsive.
> The email scan process of course writes to disk. I've no idea of the
> internal processes, and that's not germane to the topic. Neither is the time
> required a germane response; my answer can only be that the software chosen
> is making demands upon hardware that can not execute fast enough -- get a
> faster computer, change antivirus vendor, whatever. Don't ask a bycycle to
> perform like a car. The time problem is not central to my argument that
> email scanning does have a purpose and should be used except when some
> malfunction requires otherwise and then only until the malfunction is
> corrected.
I can't afford a car. Some people can't afford a faster computer. If the
software breaks things, do you propose to tell people, "Get a faster
computer, or get off of the Internet"?
> > I have never seen anything of interest that I would want to forward in a
> > viral email. Usually just a poorly written attempt at social engineering,
> > designed to lull some gullible user into running the attached file.
> Well, there you have it: you have a clue. Most people do not! That's why the
> problems occur and keep re-occuring. They just blindly click away, and send
> entire webpages as a forward to their friends (who usually don't apprecite
> it but have given up asking for it not to be done). Again, this has nothing
> to do with this topic.
Most people who don't have a clue, don't run a current AV program. By the
time they manage to get enough clue to keep an AV program current, they have
gotten enough clue not to mess with unsolicited email attachments. God,
alone, can help the others, because He well knows that the best AV program
in the Universe won't be able to.
> > The decision to forward an e-mail is not either "accidental", or even
> > "unintentional". It requires deliberate forethought, and a conscious act
> > of will to take the steps necessary to forward an email. Anybody so
> > willful as to forward a message is not going to be protected against
> > himself for reasons I have already cited.
> Oh, quit misquoting me. I didn't say forwarding of email is an accident, I
> said without using email scanning the sending of a virus by forwarding could
> be an accident because they didn't notice or chose not to even look at an
> attachment (people do things that are not logical) before performing the
> forwarding steps. It happens.
Do you expect somebody so careless as to forward messages without checking
them is going to be so careful as to keep his AV program current. Don't
count on it. Anybody that clueless is going to believe the phoney patch when
the message tells him to ignore the AV program warnings as he installs the
patch. He is probably the only one for whom email scanning would do any
good; assuming he even knew enough to keep his subscription, much less his
definitions up to date.
> > It is not either a 'non sequitur', nor out of context. One should always
> > handle attachments with care.
> Yes it is non sequitur. People DO NOT handle attachments with care (you do,
> I do, many do, but the general public does not have that clue nad requires
> that things be done automatically for them). That's why antivirus products
> exist, people can not help clicking on everything that is clickable. They
> just can not help it. And they don't want to hear about why they should be
> carefull, either. Nonsensical, I know, but a truism anyway.
There are people so stupid that they would forget to breathe if their bodies
didn't automatically do it for them. Nothing that we have discussed, not
even email scanning, will help them.
> >Anybody who blindly clicks on messages with
> > attachments without careful handling, relying on his AV scanner to bail
> > him out, is going to get infected. Sooner, or later.
> No counter argument, your statement is a truism. But add the rest of the
> story: they can not help themselves, they're going to get infected and
> that's that. The only hope is that the computer can protect itself to some
> degree against that human fraility.
It is more than a mere "truism'; it is a stone cold fact. And that is a
pretty thin hope that you have. The best hope is that his ISP actually
proactively limits his outbound access to the Internet; which isn't going to
happen any time soon.
> > Just a week ago I received an unsolicited email with an attachment.
> > My scanner did not alert on a threat when I saved the attachment to disk;
> > even though the definitions were less than 48 hours old. I went to the AV
> > vendor site and found a newer definition file; downloaded it and tried
> > again. With a definition file less than 12 hours old that file still
> > scanned clean. So I should trust my AV and go ahead and forward that file
> > to somebody?
> No. Nothing is perfect. Kill the virus writer, do something to make you feel
> better ... I've no answer because this is not a perfect universe. Probably
> the same exact circumstances are now protected against by your antivirus
> product. The only thing you can do is the best that can be done. Decreasing
> security is a move in the wrong direction for all but the geeky. You see,
> you are an informed geeky type, and that's to your advantage. Most people
> don't even know what RAM stands for. You know how many of my customers think
> that their web browser accessed email actually resides on their computer!?
> You trust them to be as geeky as you?
You don't have to be Mario Andretti to drive a car, and you don't have to be
a geek to handle email safely. My girlfriend is anything but a geek, and
sometimes can't get her mind around the difference between using a browser
to access her email, as opposed to a client. But she knows how to handle, or
rather, not handle, unsolicited attachments.
Gasoline is a very volatile substance, which requires considerable care in
handling. Some never learn, and get burned for their troubles; but most
manage to handle it safely. The problem, really, is that ISPs and Microsoft
have led people to think that the Inernet is like walking down a Tokyo
street, when, in reality, it bears a closer resemblance to Beirut, Lebanon
than Tokyo, Japan (which is almost safer than "Main Stree U.S.A." in
Disneyland).
> > Intentionally forwarding email without checking what it is isn't stupid?
> Yes, it is stupid. But the general public doesn't ahve a clue unless the
> computer pops something up for them to blindly do a gleefull click upon.
> That's life, that's the reality of human and computer relationships at this
> point in history. YOU are an exception, it's good that you are. But it does
> little to talk down the general public, they don't even understand the point
> of the issues involved. Just accept it, and try to keep the ignorance from
> negatively affecting your income potential.
Who is talking "down"? Anyway, most who post here are here to learn. If they
are willing to learn, why not teach them? People trust the Internet because
their ISPs, and Microsoft, seriously understate the threat of what is,
essentially, an insecure, untrustable network. If people only knew the half
of the security problems related to connecting a computer to the Internet;
maybe some would be too frightened to do it. That would be a loss of revenue
for the ISPs, and, ultimately, for MSFT. After all, if nobody connected to
the Internet, all those nifty little .net Passport thingies that MSFT wants
people to hook up with would never turn a profit.
> > > Nothing is perfect or instantanious.
> > Exactly! But people who come to rely on their AV will, sooner or later, be
> > infected.
> And the point is? Do not use antivirus? Face it, the general public can not
> rely on themselves to ward off problems, so the only thing left is automated
> security. They must depend on it. And the more there is, the better the
> chance you don't loose time doing fixes that make you shake your head about
> why you're doing them.
Now look who is changing the subject. We were discussing the merits of AV
program email scanning. It can break things to do that. If you keep on
access scanning on, email scanning is gravy on the potatoes, icing on the
cake. Nice when it works, but you don't lose anything by falling back on the
on access scanner.
> > An on access virus scanner will work as well as a mail scanning system, if
> > the operator doesn't blindly try to manipulate attachments. Had I a mail
> > scanning AV when I got that Trojan dropper, I'd not have had any warning
> An isolate case due to an imperfect universe, your antivirus vendor didn't
> come up with a protection in time. Probably that protection is now available
> from that vendor, though, so next time the same situation occurs you
> probably can not have the same complaint. The ide is to mitigate as best as
> possible. That's all that can be done. It should be done. Live the best life
> you can, accidents (or call it what you wish) still will happen.
An "isolate case"? Not any more. One AV vendor published three definition
file updates in a single day. Norton used to drive the Live Update once a
week; Wednesday, or Thursday, I believe. Ever since Swen, the weekly cycle
is insufficient. Swen came out just after the latest NAV definition updates.
Could be that the virus writer timed it in the hopes that the average, non-
geeky user would wait until the next Live Update cycle, and be unprotected
in that time. The Trojan dropper which was sent to me came less than 12
hours after the latest NAV definitions had been made available. Norton
started driving Live Update more frequently than once a week, which is why I
had current definitions on a Monday. But the virus writers are cranking
threats almost hourly, now.
> > It is an advertisement; it means nothing more because anybody can add such
> > a signature. Indeed, for "social engineering" purposes, such a signature
> > would have great value in convincing the gullible to do something rash.
> > The everybody with any sense just sees lack of imagination.
> I don't have a defined tag, I don't tell the utility to put that tagline in
> there. Because it's the free version, it ads. The ones I've purchased for
> other machines do not insert that ad. FWIW, I don't mind the ad. I think
> it's a darn good product, but that's besides the point and just a personal
> preference.
It is O.K. not to have a tag. But the advertising is a selectable option,
and because Grissoft was not paying me to promote their product, I turned of
the advertising when I was running the software. Give me a choice between
AVG free and McAfee, I will pick AVG any second of any day of the year. But
it clashes with something on my computer; not the OS, because it runs fine
on another computer. For that reason, I had to look around for something
else. I will probably drop Norton when the subscription runs out. Maybe I
will check out F-Prot for Windows, or Kaspersky. We'll see.
> > None of my email clients have scanning enabled. NAV 2003 has scanning
> > turned off. I don't like the interruption it causes when I am working.
> Sounds like a poorly written product, from what you say. Why do you allow it
> instead of demanding that something less intrusive be used? You have no
> choice because the clients are acting blindly like lemmings?
Oh. Sorry; I meant "clients" as in MUAs. I mostly use Pegasus, but I also
use the Netscape email client for access to my Netscape webmail account, and
MSOE6 for access to Hotmail. I also have the IMAP server up in Mercury Mail,
so I can easily move messages around. NAV mail scanning, even if it were
active, wouldn't help with the Hotmail, Netscape webmail, and IMAP account
access. NAV email scanning is a POP3/SMTP process; none of which applies to
those operations.
There are no people "clients"; I am a one man show.
> > And I don't use a vulnerable client; for either e-mail (I prefer
> > Pegasus), or news (mostly use Gravity). I have never been infected
> > with a virus. I will never be infected with a virus.
> Not with Pegasus, I agree. But just think of your workload if all your
> customers used Pegasus! Just about everyone who uses Pegasus is geeky. They
> have to be.
Customers? What are those? Well, I "had" customers when I worked retail, but
they really weren't "mine"; they were in the store that employed me.
> > I am only trying to emphasize that reliance on the AV may lead to lax
> > practices otherwise.
> Yes, I agree but point out that when it comes to the general public they
> MUST rely on something. Else you're going to be busy re-fixing a lot more
> than you do now. Education doesn't help, most are simply not geeky enough to
> really understand what to you is clear cut and evident.
You know, I spent twenty some years in the Army National Guard, with some
active duty time before that. A lot of the soldiers weren't exactly the
soldierly equivalent of geeks; think "cross section of society". But we
learned that a soldier fights the way he is trained, so we had to train to
fight. Don't downplay education. It is more about mindset.
We had a division G-3 who pushed a modified battle map on us. We had a
capstone mission, and we put the actual post map on a map of the country to
which we would be deployed if things came to war. Renumbered the grid on the
national map as an extension of the grid on the post map. It helped to put
us in the proper frame of mind about our jobs. If we did more of that with
regard to the Internet, we'd be a lot better off.
But the ISPs and Microsoft don't want to take that direction; if the
customers become intimidated, they will use their computers less, go on line
less; and then the companies lose money. So they soft pedal the hazards,
rather than promote awareness. And promote technical solutions for problems
that technology can't really fix.
> > Funny thing. I used AVG for a while, until I hit a snag; some kind of
> > conflict with one of my older programs and AVG. I changed vendors.
> An older one? I've yet to see such a thing happen with AVG, but anything is
> possible. One bad apple spoils the entire barrel, eh. Will you dump XP
> because it won't work with some older things (drivers not available)? Same
> argument! Incompatabilities have always been an occasional nightmare. Stuff
> happens.
Yep. But it isn't a matter of one bad apple. AVG isn't the only program out
there, and I sometimes wonder if on access scanning is really doing me much
good. A daily scan from F-Prot for DOS on the floppy set would be just as
effective, I suspect.
No, I won't dump Windows XP; I wouldn't have it if Microsoft gave it to me,
as long as I have to deal with Product Aggravation.
> > Hardly; I see a commercial plug of a product.
> Me too, but I cann't help it unless I want to put up some $. I suppose I'll
> do that for this computer, eventually. I do like the product.
Actually you could, if you really wanted to. When I was running it, when I
first installed it, I spent a little time exploring the menus; as I do with
any new program. I found out that it was a selectable option, and I
deselected it.
> > The signature itself is just fluff. It isn't even a real language; being
> > made up for a show. Sometimes useful for a little levity.
> And you complain about the my fluff, but just because it's an involuntary
> ad! Hypocrite!!! :p
It wasn't the "fluff" I was complaining about, but the commercial plug. And
it really wasn't a serious complaint; sort of a sideways comment, and semi-
topical when considering how it affects people's mindset about the Internet.
We should approach the Internet as if we had an air watch warning of
"Condition Yellow, Weapons Tight", at the least. Meaning, if you see
aircraft, treat them as hostile unless you can positively identify them as
friendly.
And it isn't exactly involuntary; it can be turned off.
> Ok, there be dragons out there. Cute, now that you've educated me. <grin>
> Have a nice day, Norman. (no sarcasm intended)
How interesting. Having reached a point where I described the hostile nature
of the Internet, only to find my signature accidentally fits my mindset;
yes! There be Dragons out there, on the Internet!
> if using Norton and/or McAfee turn off scanning.
> BUT have yet to hear of a case where AVG corrupted the DBX files.
> AVG email scanning has caught numerous virus for me that were not in attachments.
> and have NEVER in years of use corrupted the data base.
Nobody who has had any troubles has been using AVG. The MVPs are addressing
people who have had problems, and those are Norton and McAfee users.
"N. Miller" <n...@blackhole.aosake.net> wrote in message news:MPG.1abfb697c...@msnews.microsoft.com...
Heh. You're running Merc? You know who I am, Norman.<g> That's one reason
why I want DH to put in RDNS, if he did that then you'd have seen right off
that it's a valid domain. But you probably saw that flame war, it went on
for a while. Transaction filtering is ok but it is not enough by itself. I
was supposed to upgrade 2 weeks ago, but been too busy at work to take the
time. Well, you blew my cover. I also use Peg (as well as Merc), and only
use OE for NG purposes (well, one other but I've got my hands full handling
negatives already). Now I'm really gonna get toasted here!
> Do you have any idea how many home users, with Trojanized computers, are
> taken over by spammers, issuing "HELO Computer"? My compliance rule was
> regex with "*computer*"; your email got through on a third try, after I
> removed the asterisks. Of course that ".biz" TLD still looks a bit spammy,
> and many administrators unceremoniously pitch any email message with the
> .biz TLD anywhere in it.
Do I!? You know I do, now that you know the other side of the story. You
know all the heat I took for blacklisting nearly all of Asia and Europe for
a while? I truly hate spammers, especially since they started using virus as
vector to make zombies. Sure, I end up making $ because of it, but I still
hate the jerks. I had a genuine happy fit reading the headlines about the
recent lawsuits. Just tics me off that CAN-SPAM took away my right to bring
individual suits. I was really getting into the Dick Tracy mode about the
time Uncle Sam interfered.
> I hope your customer learned a lesson about the effectiveness of AV
programs
> in general; and didn't go away from that lesson thinking, "How odd that
the
> free AVG is better than the paid NAV".
I tend to have a preference for AVG, I won't deny that. Some of them
actually buy it. And I've not had one, not even one, problem with it
scanning email. So it makes economic sense for me to recommend it, since I
have to pay a tech if the unit comes back under warranty. I also use ZAP,
with email protection, on the same computer --- it doesn't miss a beat.
Those 2 products I really like, just because they've been put on so many
customers computers and they work just fine. They simply have never cost me
money because of a warranty issue. Never. But ZA has been purchased, I
think. Things may change in the future...
> > But that's not the issue of this topic that I'm
> > harping on. My point is simple: email scanning does have a purpose and
it
> > should be used. A defective product, defective OS, personal preferences,
and
> > so on ... those are not the issue and they do not invalidate what I'm
> > claiming. Bringing those things up in argument is indeed non sequitur to
my
> > central purpose of this topic.
>
> I won't say that I am categorically opposed to email scanning; if it works
> without breaking things, go ahead and use it.
That's ALL that I'm saying! Nothing more, nothing less, really. I don't say
use it if there's a problem, but I do say use it once the problem has been
fixed. And not to smear all antivirus vendors as putting out something that
does nothing or worse... email scanning does have a purpose but it is just
another line of defense.
>But when the cure is worse
> than the disease...I pitched McAfee for that, and AVG. AVG just didn't
work
> at all; but McAfee! The AV did more damage than any virus I personally
> witness. Never caught one myself; but cleaning up after McAfee was ten
times
> worse than cleaning up my girl friend's computer after Bugbear.
Well, that sucks. And I couldn't agree more with what you did. If it's
broken, no one in their right mind could insist on using it! But that's no
reason to paint all other vendors with similar services with a wide brush in
the same fashion.
> Your point, that email scanning serves some kind of purpose; well, it does
> on a mail server. Although, I can't afford a proper server-side
> implementation (Declude "Lite", the cheapest product for mail servers, is
> $495? Yikes!).
What's wrong with using F-Protect? I also have AVG there, but it doesn't
detect most things on the email server that are still encoded (only once has
it, and that was about a month ago -- surprised me quite a bit). F-Protect
nails most of them, and custom filtering catches most of the rest.
>Although I left AVG on my patron's computer, and even left it
> in mail scan mode, it is more for show, now. Sig is turned off, BTW,
though
> she doesn't make Usenet posts. Anyway, it has never scanned an infected
> email in over a year. Not that she hasn't had any destined to her account,
> but the Mercury Mail server AV Policy nails it. Most people, however,
don't
> run their own mail server.
What AV are you using, then, if not F-Protect? And hey, I really like
PopFile on Mercury. I'm gonna upgrade to the daemon, soon as it settles
down.
> But your central point hinges on a single point of failure, one which I am
> trying to devise a test to check out; that mail scanning helps prevent
> unintentional spread of viruses by scanning outbound email.
No, not outbound. Inbound. Although it can scan outbound too. Inbound is
where the user needs to know that sump'tins up, before they forward
something with an attachment that hasn't been scanned yet. Outbound scan is
ok, maybe if forwarding a still encoded email, otherwise the file will have
been scanned on HDD. Just yet another line of defense, it cann't hurt. But
my point is that it's better to know before one tries to do a forward that a
virus is in the message.
>It's a bit
> tricky to set up because I need the on access scanner turned off for part
of
> the process, but on for another part. Knowing when to do which...if the on
> access scanner won't even let the attachment leave with the message, that
is
> what I want to know.
The on access scanner should not be able to detect an email containing an
encoded (all text characters) virus, right? That's what email scanning
does -- decodes it and THEN checks it with the on access scanner. With big
attached files, the decoding can take a while. So sorry, better hardware
speed is called for in those cases. So the user has to deal with that and
anty up the $, else be a potential part of the virus distribution problem.
But speed isn't the issue of this topic, as I'm fond of repeating. Hardware
and software problems just are not the issue. Whether or not email scanning
has a purpose and should be used, that is the issue.
The internet has changed since the days of slow computers. It's much more
intensive on graphics, much bigger webpages to dl. Look, I walk my customers
across the street and have them buy a 80gig 2.6mHz eMachine or HP for $500
and some change, and they toss the old one they brought in for the "upgrade"
they wanted so that they'd have something similar to what they see at their
work place. $500 isn't all that much. Then they pay me to set it all up, and
put anti compromise stuff into place onto the new computer. And I have to
guarantee it that the software keeps working, so I don't want it getting
infected during the warranty period. If they don't do what the half hour of
security tutoring I give them is all abount, then my warranty is void.
I cann't wait until XP SP2 comes out and really screws up my life, around
next ugust I think it is. It's gonna cost me $ and annoyed customers, but in
the long run I think it will be worth it. Have you seen what MS says is
gonna break with that update? sheeze.
> > > I have never seen anything of interest that I would want to forward in
a
> > > viral email. Usually just a poorly written attempt at social
engineering,
> > > designed to lull some gullible user into running the attached file.
>
> > Well, there you have it: you have a clue. Most people do not! That's why
the
> > problems occur and keep re-occuring. They just blindly click away, and
send
> > entire webpages as a forward to their friends (who usually don't
apprecite
> > it but have given up asking for it not to be done). Again, this has
nothing
> > to do with this topic.
>
> Most people who don't have a clue, don't run a current AV program. By the
> time they manage to get enough clue to keep an AV program current, they
have
> gotten enough clue not to mess with unsolicited email attachments. God,
> alone, can help the others, because He well knows that the best AV program
> in the Universe won't be able to.
I still get a couple or so with Win95 come in every month looking for an
upgrade! Yea, right. Once they buy another computer they will need another
decade to get familiar with XP or Longhorn, so meanwhile AV is what I have
to bank on to keep the warranty from coming back on me (best as possible).
> > > The decision to forward an e-mail is not either "accidental", or even
> > > "unintentional". It requires deliberate forethought, and a conscious
act
> > > of will to take the steps necessary to forward an email. Anybody so
> > > willful as to forward a message is not going to be protected against
> > > himself for reasons I have already cited.
>
> > Oh, quit misquoting me. I didn't say forwarding of email is an accident,
I
> > said without using email scanning the sending of a virus by forwarding
could
> > be an accident because they didn't notice or chose not to even look at
an
> > attachment (people do things that are not logical) before performing the
> > forwarding steps. It happens.
>
> Do you expect somebody so careless as to forward messages without checking
> them is going to be so careful as to keep his AV program current. Don't
> count on it.
No, I don't. So I turn on automatic updating, and threaten them with voided
warranty if it comes back with virus and logs show no updating was done.
That helps, although I got a call today "I'm infected and I didn't do the
updates as promised!" The customer agrees to pay, again. Well, it wan't my
fault. If doing the best possible and they still get zapped, I'm there with
warranty in hand. Hating it, but I'm there with a smile anyway. But not if
they lower security. No excuses accepted.
>Anybody that clueless is going to believe the phoney patch when
> the message tells him to ignore the AV program warnings as he installs the
> patch. He is probably the only one for whom email scanning would do any
> good; assuming he even knew enough to keep his subscription, much less his
> definitions up to date.
Yes. A high percentage of my customers. I cann't bad mouth them, though,
they're just not even the slightest bit geeky. What they want is a box at
least as smart as a dog. No joy in that regard, so they fumble along for
now. They don't mean to make a mess of things! But joy, oh joy, if there's
something to click...
> > > It is not either a 'non sequitur', nor out of context. One should
always
> > > handle attachments with care.
>
> > Yes it is non sequitur. People DO NOT handle attachments with care (you
do,
> > I do, many do, but the general public does not have that clue nad
requires
> > that things be done automatically for them). That's why antivirus
products
> > exist, people can not help clicking on everything that is clickable.
They
> > just can not help it. And they don't want to hear about why they should
be
> > carefull, either. Nonsensical, I know, but a truism anyway.
>
> There are people so stupid that they would forget to breathe if their
bodies
> didn't automatically do it for them. Nothing that we have discussed, not
> even email scanning, will help them.
It's better than nothing, especially when it comes to my time if I have to
warrant something. Ok, email scanning is a minimal defense line. I don't
argue it. But it does, every once in a while, serve the intended purpose.
When it does, I'm probably going to use that saved labor time to make money
instead of loosing it.
> > >Anybody who blindly clicks on messages with
> > > attachments without careful handling, relying on his AV scanner to
bail
> > > him out, is going to get infected. Sooner, or later.
>
> > No counter argument, your statement is a truism. But add the rest of the
> > story: they can not help themselves, they're going to get infected and
> > that's that. The only hope is that the computer can protect itself to
some
> > degree against that human fraility.
>
> It is more than a mere "truism'; it is a stone cold fact. And that is a
> pretty thin hope that you have. The best hope is that his ISP actually
> proactively limits his outbound access to the Internet; which isn't going
to
> happen any time soon.
Ohmygawd. Just even think about an ISP interfering in any way and 50% of
internet users will jump on you, the other 50% will cheer. Although in
another forum I said it was coming (oh, the flames!) and to just watch and
see (and now, well, it's here!) It's not a popular thing being right.
Shoot, just recently password protected zip files were being blocked.
Microsoft port something or other got blocked by the bells a while back.
Shall I go on? Yes, ISP interference is here.
So ok, you do trust them - a little. And girlfriends, well, I'm not even
going to go there... there will be no blonde jokes from me today.
> > > Intentionally forwarding email without checking what it is isn't
stupid?
>
> > Yes, it is stupid. But the general public doesn't ahve a clue unless the
> > computer pops something up for them to blindly do a gleefull click upon.
> > That's life, that's the reality of human and computer relationships at
this
> > point in history. YOU are an exception, it's good that you are. But it
does
> > little to talk down the general public, they don't even understand the
point
> > of the issues involved. Just accept it, and try to keep the ignorance
from
> > negatively affecting your income potential.
>
> Who is talking "down"?
No one. I'm just saying berating computer savy solves nothing, no matter how
stupid the geeks thing some occurence is. That's all. Things are as they are
and no amount of teaching, warning, whatever, is going to change how humans
interact with computers. The computers loose, every time. And that angers
the humans!
>Anyway, most who post here are here to learn. If they
> are willing to learn, why not teach them?
Anyone who wants to learn is a geek in training. Most of my customers do not
want to learn anything, and they are mildly suspicious of geeks. They want
the computer to learn, and it annoys them when they don't get their way.
Luckily, that's not something my warranty covers. Well, sometimes it is.
>People trust the Internet because
> their ISPs, and Microsoft, seriously understate the threat of what is,
> essentially, an insecure, untrustable network. If people only knew the
half
> of the security problems related to connecting a computer to the Internet;
> maybe some would be too frightened to do it. That would be a loss of
revenue
> for the ISPs, and, ultimately, for MSFT. After all, if nobody connected to
> the Internet, all those nifty little .net Passport thingies that MSFT
wants
> people to hook up with would never turn a profit.
Hmmmph. That would mean my ISP rates would go up. Keep that opinion to
yourself and don't scare anyone else, ok?
> > > > Nothing is perfect or instantanious.
>
> > > Exactly! But people who come to rely on their AV will, sooner or
later, be
> > > infected.
>
> > And the point is? Do not use antivirus? Face it, the general public can
not
> > rely on themselves to ward off problems, so the only thing left is
automated
> > security. They must depend on it. And the more there is, the better the
> > chance you don't loose time doing fixes that make you shake your head
about
> > why you're doing them.
>
> Now look who is changing the subject. We were discussing the merits of AV
> program email scanning. It can break things to do that.
No, not unless the product is broken. But I give up on not changing the
subject. If MVP's can do it, I can too. More seriously, anyone following
this thread knows what the issues are by now.
>If you keep on
> access scanning on, email scanning is gravy on the potatoes, icing on the
> cake. Nice when it works, but you don't lose anything by falling back on
the
> on access scanner.
Again, the email scanning just puts notice in the face, right at click me
level, if a virus is detected in an incoming email. It's a heads up, and a
front line defense. Knowing soemthing is spooking the AV, there is much less
chance of it getting forwarded to someone else who just might unleash a
virus or trojan. Remember, no email scanning then no on access detection
unless the attachment is opened before it gets forwarded on. Now, what if
the attachment was expected and trusted and unknown to the receiver it was
infected? No need to open the attachment at this very moment, thinks the
user, and so it gets forwarded. Oops.
Yes, but if you don't catch it before the protections are made available
then you won't ever, is what I meant. You're complaining it takes to long
for the updates. There will alwasys be some delay for the analysis, design
of a fix, and its distribution. Just wait until someone comes ups with the
equivalent of "Life" and we have virus morphing themselves. No virus writers
required. Don't think it isn't going to happen.
Oh, I lied. I've turned it off (I think).
> > > None of my email clients have scanning enabled. NAV 2003 has scanning
> > > turned off. I don't like the interruption it causes when I am working.
>
> > Sounds like a poorly written product, from what you say. Why do you
allow it
> > instead of demanding that something less intrusive be used? You have no
> > choice because the clients are acting blindly like lemmings?
>
> Oh. Sorry; I meant "clients" as in MUAs. I mostly use Pegasus, but I also
> use the Netscape email client for access to my Netscape webmail account,
and
> MSOE6 for access to Hotmail. I also have the IMAP server up in Mercury
Mail,
> so I can easily move messages around. NAV mail scanning, even if it were
> active, wouldn't help with the Hotmail, Netscape webmail, and IMAP account
> access. NAV email scanning is a POP3/SMTP process; none of which applies
to
> those operations.
>
> There are no people "clients"; I am a one man show.
Gotcha. But still sound like badly designed product. But I'd have to assume
it's attachments that are slowing things down. There's no answer to that but
to get faster hardware, if all AV products are not meeting your needs. The
bottleneck is with the hardware, not the network.
> > > And I don't use a vulnerable client; for either e-mail (I prefer
> > > Pegasus), or news (mostly use Gravity). I have never been infected
> > > with a virus. I will never be infected with a virus.
Well, my first IIS got itself infected, terribly. Got my IP blacklisted for
a while, too. THAT was when I went on a security binge. Nothing is perfect,
but my business network and the applications that use it is one tight bugger
after literally a year of defense building. I really didn't like rebuilding
IIS. It convinced me that there is no such thing as too much security, and
that attitude carried over to my line of work. I just reported some college
punk who tried to break in (and failed), sent the logs to the school admin
for what good that will do and told them not to bother responding because
thier IP range was permanently blocked on my end (and it is). It was a tech
school, too. The jerk got past both firewalls and URL Scan but was stopped
dead by NTFS permissions. Hopefully, the jerk will get a reward anyway -
from school administration. Such talent, put to the wrong use. I hope the
attempt to mess with my life backfires real good.
Ok. I can see that. And I do have a love/hate thing about virus writers. I
love it when their nastiness drives computers to me for repair, but deeper
than that I truly hate the mindset. And I especially hate it if another
virus gets cought during my warranty period! Yes, education IS good. If it's
wanted. I provide 1/2 hour security maintenance training for each of my
customers. Having just been hurt in the pocketbook, they're receptive to it.
I get very little warranty, because they are informed. But occassionally I
get one that just cann't understand anything beyond the power switch and the
mouse. Those are the ones that need every bit of automated protection I can
give them, and the half hour tutoring tends to just result in glazed eyes.
Technology is the ONLY hope for them, and for my warranty program, in those
cases. I say occassionally, but it's not really all that rare.
Yep.
> > Ok, there be dragons out there. Cute, now that you've educated me.
<grin>
> > Have a nice day, Norman. (no sarcasm intended)
>
> How interesting. Having reached a point where I described the hostile
nature
> of the Internet, only to find my signature accidentally fits my mindset;
> yes! There be Dragons out there, on the Internet!
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint
<ad ommitted>
Once that happens, I imagine his tune will change.
steve
"Jim Pickering" <ji...@mvps.invalid> wrote in message news:uLspCOrC...@TK2MSFTNGP11.phx.gbl...
>that is a bit irresponsible .
Wrong. We are being conservative in saying do this generally to protect the OE message store. We can't go around and check every AV product out there, and each version of it. Besides, as we've argued over and over again, scanning email provides no benefit to the user, if they have their system being scanned all the time anyway.
I'm not convinced that AVG's email scanning is perfect and doesn't interfere with OE. I've seen some messages where AVG was clearly used and the user was having problems.
steve
Yeah, and the problem there is that the AV product will wipe out the entire dbx file and destroy irrevocably the messages in that file. At that point the question is which is worse, the virus or the cure.
> That being said, I keep it off, I have neither the time nor the patience
> and I can do a better job of not executing viruses then a virus scanner.
>
Well, I'd agree 100% on this. Unfortunately the general public's level of computer comprehension is abysmally low. The real solution is to educate the user, rather than put up all these disabling "security" features.
steve
That's all well and good, but we, as MVPs, can't check every AV product and product version. Clearly McAfee and Norton are aware of the problems and do nothing about it. There was even a link on the McAfee site to DBXtract at one point, because McAfee was destroying OE's ability to read the dbx files.
I prefer a very conservative approach in my advice to people and so I suggest that they generally turn off the scanning. Especially since its largely redundant.
Don't think that we haven't brought this attention to the OETeam at MS and told them what a problem it is. Unfortunately MS is about as responsive to us as it is to the average user, and OE has almost negative priority in terms of development, as its not a "revenue model" for MS. So we are stuck here doing what we can to help the public as best as we can. And my general advice is, if you want to ensure that your message store has the maximum stability as it can acheive, given the dbx format, then turn off email scanning and turn off background compaction. If some AV products don't have the hideous side effects of McAfee and Norton, then fine, but its not up to the MVPs to identify such or to support one AV over the other.
I'm happy not supporting any of them. I also think, anyone with a modicum of intelligence and knowledge of their personal computer does not need an AV product, except for occasional checking.
> BTW, thank you, Steve, for the civil response and for not attacking me via
> off topic comments. I respect that a lot.
>
We try and keep things civil here, but we're only human.
cheers,
steve
>> I would argue the other direction -- At least with NAV, the "email
>> scanning" feature intercepts at the port level during the POP3 session
>> and stops the virus from ever getting into your DBX. There is zero
>> chance of DBX corruption.
>>
>> What is dangerous is when a virus is stored in your DBX file, and the
>> virus scanner happens to find it there and attempts to clean it without
>> understanding the DBX structure.
>>
>
>Yeah, and the problem there is that the AV product will wipe out the entire dbx file and destroy irrevocably the messages in that file. At that point the question is which is worse, the virus or the cure.
Exactly -- This is why I'd probably recommend leaving email scanning
enabled -- If the product catches it during the POP3 phase, the virus
never hits the DBX, so there is no risk of DBX corruption at all.
--
A well-dressed man walks into a bar and asks a woman to sleep
with him for $1M. The woman is excited and she gives immediate
consent: "Of course I'll sleep with you!".
Then the man asks, "will you sleep with me for $5?". The woman
indignantly replies, "Of course not! What do you think I am?".
The man replies, "We've already established what you are; now
we're merely haggling over the price."
>He's obviously never lost any email due to AV products.
The most you can possibly lose is up to your most recent backup.
Better, if you have a properly managed server offering IMAP access, you
lose nothing at all.
That just plain isn't true. It should be, but there is a history of
anti-virus programs deleting entire folders in OE when email scanning is
turned on.
--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/
Most Recent Backup. Gee, that would cover maybe 2% of the people.
Geez, you really think it's that high? I would estimate it at less then 1/2
of 1%.
Jim P.
I'm using AVG at the moment, but I still don't want something
going through my email disabling, renaming and messing with
viruses to make the viruses appear not to be viruses. It just gets
too confusing.
I really like the AVG product. It's the best I've seen, but it still
suffers from the same problems that EVERY virus scanner does.
It wants to take control where it should only be scanning and
maybe moving the attachments to a quarantine folder, it is
actually modifying files and once the file is modified it is no
longer a virus and it'll never see it as a virus again. It leaves the
file on the computer in the modified format. This is a clearly
NOT proper. I really would like to see AVG present a
dialog with the following options:
Move the infected file to an INFECTED folder.
-or-
Delete the file.
-or-
Disinfect and move the file to a MODIFIED folder.
The name of the MODIFIED folder can be named something
else, and I am hereby declaring this to be public domain material
that CANNOT be patented nor copyrighted.
--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.
That's all well and good, but we, as MVPs, can't check every AV product and
product version. Clearly McAfee and Norton are aware of the problems and do
nothing about it. There was even a link on the McAfee site to DBXtract at
one point, because McAfee was destroying OE's ability to read the dbx files.
I prefer a very conservative approach in my advice to people and so I
suggest that they generally turn off the scanning. Especially since its
largely redundant.
==============
But that's like saying all houses should be condemned because one burnt down
due to having been built incorrectly. I didn't want to get into pointing
fingers at specific vendors having problems with their antivirus email
scanning modules, only because I've stayed away from those particular
vendors' antivirus products and so I'm in no position to do more than take
heed when a problem is identified as specific to a vendor. And so finger
pointing wasn't my prerogative. And so it wasn't even the point of my
statement that "email scanning does have a purpose", and it's the wide
brushed comment to the contrary that I do take issue with as being false and
a generalized smear against other vendors. What if I went around saying that
OE hangs now and then and so it and all other emailers are a piece of junk?
It's not so, even if OE does hang for some reason - for whatever reason. I
can't place the blame for the hang so generally, there's a responsibility to
be more concise. No one's asking for MVP's to check out every product and
product version! See, that's the sort of extreme comment attempt, and an
improper one aimed at emotionalism, to justify the unjustifiable. It's that
wide brush again, where the wide brush is simply not appropriate and can
really make a mess of things.
What's wrong with being concise and reporting only on what's known for sure,
when the downside of not doing so paints an improper picture of antivirus
vendors? It's not like someone can not get hurt by such editorial policy, it
is possible for a virus to be spread if it was never scanned in a message
that gets forwarded, and it is possible to thereby unjustly hurt the public
as well as the reputation of antivirus vendors who don't deserve the
negative publicity.
Look, all I'm saying is edit the canned response being handed out over and
over in this forum. Everyone's just doing a copy and paste, it would take no
more effort to copy and paste an accutate representation of the email
scanning benefits and pitfalls, and the need to temporarily turn if off for
diagnostic purposes, and to recommend that it be left activated if it is not
found to be the cause of some problem with OE. That's the more responsible
way to editorialize the situation.
--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.
"PA Bear" <PAB...@mvps.org> wrote in message
news:ulu%23B6JDE...@TK2MSFTNGP10.phx.gbl...
must have hit wrong key <G>
>> >He's obviously never lost any email due to AV products.
>>
>> The most you can possibly lose is up to your most recent backup.
>> Better, if you have a properly managed server offering IMAP access, you
>> lose nothing at all.
>
>Most Recent Backup. Gee, that would cover maybe 2% of the people.
Well, use IMAP instead of POP, and you have a realtime backup. I can
delete every DBX on my workstation right now, all I'm out is about 3-4
minutes of download time, not a single message, not even a single
"Replied" flag goes missing.
I can pull any hard drive in my system out. I have 700GB or so of drive
space on my servers, I can go pull any drive you like, the only thing
I'll lose is logs and temporary files.
--
Having a smoking section in a restaurant is like having a peeing section
in a swimming pool.
C:\infected\testing
AVG not only checked that folder but the folder above it as well.
This time it moved the file to the vault and appeared to move the
other files as well, but it didn't actually move the other files, it
copied files in a folder that it wasn't told to check. <g> Good
grief !!! It's acting like a virus itself! LOL
It's got some definite issues. This time it didn't heal the files, it's
the healing process that leaves the file on the HDD with the
same name, just slightly modified in some manner ( I think ).
I'll figure this out in a moment...
Okay, this time I copied the infected file to:
C:\infected\test\
And I also copied several other infected files to:
C:\infected\backup\
I asked AVG to do a custom scan and I selected the
following folder:
C:\infected\test\
The dialog popped up with the following message:
Test run: Manual
Files tested: 5
Time elapsed: 0 sec.
Infected files detected: 1
Viruses removed by healing: 1
Files moved to VIRUS VAULT: 0
Viruses Still On The Drive: 0
Something is definitely wrong !!! LOL It tested 5 files, when I told
it to test only 1. It scanned 5 files, it says so! All of them are infected
with the same virus (NetSky.J as reported by AVG). It only
reported 1 infection. It moved the one file to the VAULT.
I still like AVG, but it definitely has some serious issues.
--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.
Email scanning has been found to cause severe problems and even data loss in
some situations. It is safe for YOUR computer for you to turn off antivirus
email scanning. Were you to actually open an infected email then the
enclosed infection, ultimately encoded (probably in base64), would be
decoded to a normal file, and at the point where it becomes a file then your
on-access antivirus module of your antivirus software should detect the
virus (assuming updated antivirus definition tables). However, if you have
email scanning disabled (and because then no scanning takes place until a
normal file is accessed in some manner) then you could forward an infected
email if you don't first open any infected attachment before doing the
forward. That process is not likely, but accidents do happen. Email scanning
is an added layer of protection, basically one that helps prevent accidental
forwarding of an infected email. That's its primary purpose. You can safely
turn it off if it is causing problems and your own computer will remain
protected by your antivirus software, but always be aware that it is then
possible to forward an infected email that has not been scanned. Note that
your firewall might also be performing some email scanning functions.
What hasn't come into the discussion here is the fragility of the dbx files and their susceptibility to corruption.
I don't know how many messages I've seen (tens of thousands over the years) where the dbx file was completely unreadable by OE. All you have to do is change (or add or remove) one single byte from the dbx file and OE can no longer read it and all the messages in the file are lost to the user.
I wrote DBXtract for the users so that their message store would not be completely lost when the dbx file became corrupt. That was over 5 years ago and before the AV crowd got into action screwing around a trashing the dbx files and consequently the message store.
So, even before AV interference, the dbx file structure is extremely fragile, which is why we tell people to turn off background compaction, which makes it even worse.
So my general advice is to not have any program running that touches those files or has the potentiality to while OE is open. Note that in the directions for DBXtract (www.oehelp.com/DBXtract/) that I say not to run it when OE is open, even though DBXtract only reads the files and does nothing else. This is to ensure that there is not any chance that the program can somehow collide with OE operating on these files at the same time.
So I would generally say NO PROGRAM that has any interaction with the dbx files should be running when OE is, in order to protect the message store. Not just AV programs, but any program, because the dbx file structure is CRAP and will self destruct in a breeze.
So take that into account. The extent of this problem is HUGE. DBXtract has had over 1,000,000 downloads and the webpage gets over a thousand hits daily.
cheers,
steve
"SomewhatAnonymous" <Ple...@NoSpamWanted.yuk> wrote in message news:SD96c.39893$kL5....@newssvr25.news.prodigy.com...
steve
"SomewhatAnonymous" <Ple...@NoSpamWanted.yuk> wrote in message news:mEi6c.40007$hz1....@newssvr25.news.prodigy.com...
steve
========
[Well ok, it's not quite my last comment then! But I am trying to work in
that direction.]
Then maybe MVP's might want to include that statement, and certainly note
what products and (if known) what versions of an antivirus email scanner
have been reported by users to cause loss of an entire message store. Unless
Microsoft has acknowledged a problem with a specified vendor in the KB then
it isn't Microsoft policy to recommend to users that the Outlook Express
product be protected against damage by way of turning off email scanning,
and so it's probably more accurate to say "users have reported" or something
to that nature rather than insinuate, infer, or outright claim that an
industry wide problem exists with all antivirus email scanner vendor
products. Microsoft is likely in a KB article to acknowledge a problem if it
can be duplicated. But without such an acknowledgement by Microsoft, it
might be best that MVP's not even accidentally give the impression that they
are not supportive of having users implement the highest system security
policy possible. Maybe NGSCB will eventually replace the need for antivirus
products and layers of additional protection. But not just yet.
Really, one might want to take a larger view too. If, industry wide, the
antivirus vendors are not supportive of an absolute need to turn off email
virus scanning so as to avoid damages to Outlook Express files, and
Microsoft itself isn't saying for users to do so regardless of the vendor
type and product version, then who does it really appear to be that is
giving out misleading directives? Is this not also an issue of public trust?
Has any survey been done to determine which antivirus email scanning modules
actually manipulate the Outlook Express message store? Are many vendors
really not messing with it at all and are instead operating at the network
(port) level when it comes to inbound email scanning?
cheers,
steve
=====
Hi, Steve
The program you wrote is of great value. I might have to use it myself
someday, and I'll be thankfull that it exists. I'm thankfull already!
I can see why there's a continuing high level of frustration. One that you
say existed before AV interference with the dbx file structure, which in
itself is a very interesting statement. I've no reason to not believe you
saying that no program that has any interaction with the dbx files should be
running when OE is running (including background compaction). But I'm
unaware of any Microsoft position supporting that, and maybe to the contrary
since it's their design to allow compaction to run in the background. So who
am I to take most seriously, what MVP's here say -- or what Microsoft
doesn't say in support of what MVP's say? That's not a jibe, Steve, it's a
dilemma. In addition, I have no knowledge that it's an industry wide
practice for AV email scanning modules to interact with the dbx files. How
may really do email scanning by examining data at the socket level before it
ever gets received by OE? Like firewalls do it. These things I don't address
because it's not central to my argument to begin with, and I don't see that
they should be. I've not taken a position that if something is positively
known to cause a problem then it should be used regardless. I've not said
that. I've said if turning email scanning off does not resolve the problem
then turn email scanning back on because it does have a purpose. The cut &
pastes that I've seen from MVP's say it has no purpose, and I take issue
with that. I also take issue with any contention that it's an AV industry
wide problem, I see no proof of that. But I don't take issue with your
contention that email scanning can cause problems, either. I just say don't
throw the baby out with the bath water - be concise and specific. Give
people the real facts, not a generalized opinion. If an OE user has to lower
system security policy, a serious issue, then keep it to a bare minimum and
only impact AV vendors that have a user demonstrable problem.
It's improper to say or infer that all AV vendors have bad email scanning
product and that it has no purpose. Digression from that topic will not
change that.
813518 - OL: You Receive Time-Out Error 0x8004210a or 0x800ccc19 When You
View a POP3 E-Mail Account with AntiVirus Software Installed:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q813518
309676 - OLEXP: Norton Antivirus Causes Outlook Express 6 to Stop
Responding:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309676
813514 - OL: Error 0x800ccc0d or 0x800ccc0f When Receiving and Sending
E-Mail:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q813514
195458 - OLEXP: Unable to Send or Receive Messages With Dr. Solomon's
NetGuard Installed:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q195458
312347 - OLEXP: The POP3 Server Information Does Not Change and Error
Messages Appear in Outlook Express 5.5:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q312347
But stick to your guns, maybe you'll convince somebody (like people who
forward messages with attachments w/o screening them, i.e., by not saving
the attached file and scanning it first - called courtesy by some.) As I
said earlier, the horse is dead, can we quit flogging it?
--
Jim Pickering, MVP-Outlook Express
Please reply only to newsgroup.
"SomewhatAnonymous" <Ple...@NoSpamWanted.yuk> wrote in message
news:zQo6c.40143$yr4....@newssvr25.news.prodigy.com...
My 2 cents worth...Doug
===================================
"Jim Carlock" <anon...@127.0.0.1> wrote in message
news:OpRwPqKD...@TK2MSFTNGP09.phx.gbl...
The answer to that is obvious. <G>
MVPs are out to help the user. MS is out to make $. The reasons they have expressed for not fixing the problems in OE are due the fact that OE has "no revenue model", so its not worth it for them to fix it.
steve
"SomewhatAnonymous" <Ple...@NoSpamWanted.yuk> wrote in message news:anr6c.40200$Us5....@newssvr25.news.prodigy.com...
What we see is what is in these NGs where we are trying to help people.
Over and over again (for years) there are threads pertaining to lost messages, and its become abundantly clear that the AV products are responsible.
nuff said.
steve
"SomewhatAnonymous" <Ple...@NoSpamWanted.yuk> wrote in message news:zQo6c.40143$yr4....@newssvr25.news.prodigy.com...
Ok, you go ahead and get those ISP's that have POP3 to start using IMAP
instead. Yeah, thats gonna happen.
> I can pull any hard drive in my system out. I have 700GB or so of drive
> space on my servers, I can go pull any drive you like, the only thing
> I'll lose is logs and temporary files.
>
I can throw my computers out the door and don't loose the logs. Might hit a
log or two when it lands though.
>Ok, you go ahead and get those ISP's that have POP3 to start using IMAP
>instead. Yeah, thats gonna happen.
Perhaps you should find a better ISP?
http://webmail.devilsplayground.net/ gives 100MB quotas, and will pull
your existing POP3 mailbox too, no charge, no banners or anything.
>> I can pull any hard drive in my system out. I have 700GB or so of drive
>> space on my servers, I can go pull any drive you like, the only thing
>> I'll lose is logs and temporary files.
>
>I can throw my computers out the door and don't loose the logs. Might hit a
>log or two when it lands though.
I intentionally store logs on drives configured for fast write
performance, with minimal redundancy (cost:benefit ratio, I'd rather
spend the money elsewhere)
Don't care. I'm happy with my ISP, been with it since '95.
Don't want web based email. If I wanted that I'd get a Hotmail account.
> >> I can pull any hard drive in my system out. I have 700GB or so of
drive
> >> space on my servers, I can go pull any drive you like, the only thing
> >> I'll lose is logs and temporary files.
> >
> >I can throw my computers out the door and don't loose the logs. Might hit
a
> >log or two when it lands though.
>
> I intentionally store logs on drives configured for fast write
> performance, with minimal redundancy (cost:benefit ratio, I'd rather
> spend the money elsewhere)
Well, good luck, maybe you can catch Uncle Bill and surpass him one day.
>> Perhaps you should find a better ISP?
>> http://t/ gives 100MB quotas, and will pull
>> your existing POP3 mailbox too, no charge, no banners or anything.
>>
>
>Don't care. I'm happy with my ISP, been with it since '95.
>Don't want web based email. If I wanted that I'd get a Hotmail account.
Includes POP3 and IMAP access :)
--
Hey, it's the female man.
-- Bart Simpson
"DevilsPGD" <lalala...@crazyhat.net> wrote in message
news:DTc7c.11261742$Of.18...@news.easynews.com...
>I thought you had left to finish making your fortune saving all that money.
>Why you wasting so much time here?
What are you rambling about? I don't remember saying anything about
saving money...
"I intentionally store logs on drives configured for fast write
performance, with minimal redundancy (cost:benefit ratio, I'd rather
spend the money elsewhere)"
"DevilsPGD" <lalala...@crazyhat.net> wrote in message
news:thM7c.11405593$Of.19...@news.easynews.com...
>"I intentionally store logs on drives configured for fast write
>performance, with minimal redundancy (cost:benefit ratio, I'd rather
>spend the money elsewhere)"
Yes... And?
--
Whenever I feel blue, I start breathing again.
You still here?
>> Yes... And?
>>
>
>You still here?
Yes. Yourself?
"DevilsPGD" <lalala...@crazyhat.net> wrote in message
news:JC78c.562899$iA2....@news.easynews.com...