Outlook Express Irritating Cleanup Dialog
Pete B
The damned dialog even pops up now when I am in the middle of using the program. Talk about Microsoft Malware, this has to be the most asinine implementation of an idea Microsoft ever dreamed up (well, except Windows 98, maybe)....
--
Pete B
Bruce Hagen
If you see the prompt more often than 100 closings of OE, then you have
another issue.
The problem is with the registry counter that gives you the prompt after 100
closings of OE. It is being increased quicker than it should be and even if
you are not using OE.
There is a growing number of programs and actions that may be causing this
after installing SP3. Do you have any of the following?
IBM Rapid Access keyboard (driver) RAKDLL.DLL
Windows {Desktop} Search
Mailwasher
Nero plug-in(s)
Opening EML files while OE is closed will also contribute to the registry
count.
Various anti-virus, anti-spyware and third party firewalls, especially if
they were running when you installed SP3.
Archived thread discussing this issue in June 2008:
http://groups.google.com/group/microsoft.public.outlookexpress.general/browse_frm/thread/fcd35fbfa457fd6f
In the case of Windows Desktop Search, (the #1 offender), you have to tell
it to stop indexing OE.
Windows {Desktop} Search. Set Desktop Search Options:
http://www.microsoft.com/australia/windows/desktopsearch/search/options.mspx
In Windows {Desktop} Search: Control Panel | Indexing Options. Click: Modify
and clear the check box for Outlook Express.
In the case of Nero Scout, see Item 2.3 on page 8 here.
ftp://ftp6.nero.com/user_guides/nero8/scout/NeroScout_Enu.pdf
In the option to exclude selected file types from indexing, be sure to add
these file types:
.eml, .dbx & .nws
--
Bruce Hagen
MS-MVP [Mail]
Imperial Beach, CA
"Pete B" <petes...@comcast.net> wrote in message
news:%23aVS1aY$JHA....@TK2MSFTNGP03.phx.gbl...
![PA Bear [MS MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXsf05hH-R8XChS3fXPPzfoO8FYYxAKhT86KfPnIELr3QJ9tQ=s40-c)
PA Bear [MS MVP]
http://groups.google.com/group/microsoft.public.outlookexpress.general/browse_frm/thread/fcd35fbfa457fd6f
For reference, here's a current list of items known to cause this behavior
(which is NOT being seen by the vast majority of OE users) in "most often
seen" order
. Nero plug-in(s) including Nero Scout*;
. Windows (Desktop) Search is installed
[FIX: Uninstall the application or CONTROL PANEL | INDEXING OPTIONS |
MODIFY | Clear the check box for Outlook Express files (i.e., EML, NWS, &
DBX files)];
. IBM Rapid Access keyboard (driver) RAKDLL.DLL;
. Various & sundry anti-virus applications (including Norton);
. Various & sundry anti-spyware applications;
. Various & sundry third-party firewalls;
. Any/all of the above running when WinXP SP3 was installed;
. Disk defragmentation, need for;
. Using Visual Basic DoCmd.SendObject command to create an email;
. Using any number third-party applications (e.g., accounting software;
FileMaker 6) to send emails by via Outlook Express;
. MailWasher; and/or
. Programatically opening EML files while OE is closed (e.g., creating a
New Message via Address Book).
Please note that OE itself can issue this prompt but only when you close it.
Adhere to all of the following and you should never see the Automatic
Compact prompt (coming from OE) again:
- Don't use Inbox or Sent Items to archive messages. Move them to local
folders created for this purpose.
- Empty Deleted Items folder daily.
- Frequently perform a manual compact of all OE folders while "working
offline". More at http://www.insideoe.com/files/maintain.htm
- Do not cancel Automatic Compacting, should it occur, and do not attempt to
close OE via Task Manager or shutdown your machine if Automatic Compacting
is taking place.
- Disable email scanning by your anti-virus application. It can cause
corruption (i.e., loss of messages) and provides no additional protection:
Why you don't need your anti-virus to scan your email
http://thundercloud.net/infoave/tutorials/email-scanning/index.htm
===============
*IN RE Nero Scout, see Item 2.3 on page 8 here:
ftp://ftp6.nero.com/user_guides/nero8/scout/NeroScout_Enu.pdf
Also see http://www.nero.com/eng/support-faq.html?s=sub&t=Scout
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
Pete B
Wow! A lot of info from you and Bruce both, thanks.
I assume that you are talking about Nero plugins in IE, as I do not see any such function in OEx. In any case, I do not have any such plugins.
Thanks to you guys, I just found out I actually had Windows Live Search, I never even knew it was there (tells you how often I use that function). If as you say I can remove it, color it gone as soon as I finish posting this :=). If for nothing else than, how stupid can you get to design a program like that where you have to enter filenames and cannot even do it with Copy/Paste?
Let me ask you: I have been trying to shut off indexing for months, short of going into MSCONFIG and disabling startup of indexing services. If I get rid of Win Livwe Search will that elimeinate all the indexing that suddenly started running on my PC? I have used the MMC and everythiong else I can find and have not been able to get Indexing to not run. Yes, I did have WLS indexing ermails, not anymore.... Anything else I can do to totally eliminate indexing? Will removing WLS get rid of all that stuff in the CPL app e.g. file types indexing etc as well as the emails?
I disagree with that article on email scanning most emphatically. Maybe that goes for MS's av software, but my AV, Kaspersky's, and my previous, AVG, do scans for a lot more than just viruses, it scans for spam and malware too. I think the guy is wrong to advise not using email scanning. I have also seen Kaspersky's pick up infected attachments to emails which are actually one of the the most common way viruses spread. So no way am I disabling it. If that advice is what MS says is proper, they need to fix OEx, not put my PC in danger. MS has the problem, not the AV software. I want my AV software scanning EVERYTHING, not just what MS says it can handle.
I do have WinXP SP3, and I do believe this all started about when I installed the SP3. So that makes sense. It happens when closing OEx or even when it is still running and it happens about every other day; I use OEx maybe half dozen times a day max. I do move the emails, empty deleted etc but it seldom seemed to make any difference for this issue.
I will see if what you listed makes my problems go away or at least get tolerable. I still think this should be a silent operation thing; I don't mind the indexing itself, what I hate is being asked for approval every time; there shopuld be an option to make it happen unattended. Just do it, for gods sake..... :=)
Thanks to you and Bruce (so far).....
--
Pete B
"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message news:uhL%23KuY$JHA....@TK2MSFTNGP05.phx.gbl...
Pete B
--
Pete B
"Pete B" <petes...@comcast.net> wrote in message news:eRQwVgZ$JHA....@TK2MSFTNGP04.phx.gbl...
Bruce Hagen
It is Windows Search 4.0. I don't believe either myself or PA Bear mentioned
"Live".
--
Bruce Hagen
MS-MVP [Mail]
Imperial Beach, CA
"Pete B" <petes...@comcast.net> wrote in message
news:uTOj%23rZ$JHA....@TK2MSFTNGP04.phx.gbl...
N. Miller
> I disagree with that article on email scanning most emphatically. Maybe
>that goes for MS's av software, but my AV, Kaspersky's, and my previous,
> AVG, do scans for a lot more than just viruses, it scans for spam and
> malware too. I think the guy is wrong to advise not using email scanning
>. I have also seen Kaspersky's pick up infected attachments to emails
> which are actually one of the the most common way viruses spread. So no
> way am I disabling it. If that advice is what MS says is proper, they
> need to fix OEx, not put my PC in danger. MS has the problem, not the AV
> software. I want my AV software scanning EVERYTHING, not just what MS
> says it can handle.
First, MSOE is no longer under development, so even those problems which I
agree that it has aren't going to be fixed.
Second, email scanning works by interposing the scanner as a 'proxy' between
the email client and the email server. I've found that kind of kludge can be
problematic with clients other than MSOE.
Third, I had a malicious attachment which was not caught by an AV scan
because the malware was too new for the current AV definitions (back when I
allowed AV to scan email). Malware can't install itself, it has to be
actively run. A good email client will not run certain potentially hazardous
attached files (Pegasus Mail has a long list of files prohibited from
execution). The only way to get infected is to open the attachment; and your
memory resident "on access" scanner will bark, if you even just try to save
the malicious attachment to disk (and it has definitions for the file). In
my case, I submitted the suspicious attachment to one of the AV vendors, and
they provided a link to an updated definition file within fifteen minutes.
So, in my estimation, email scanning does nothing more useful than the basic
AV scanner is doing without it, and does so at some risk of corrupting the
message store; especially one as delicate as MSOE has. And email scanning
will not catch a zero day virus any more than an ordinary AV scan will.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
Pete B
--
Pete B
"Bruce Hagen" <Nos...@mymail.invalid> wrote in message news:ey4xFvZ$JHA....@TK2MSFTNGP02.phx.gbl...
Bruce Hagen
It will stop the indexing of OE by that program and it /should/ resolve your
issue.
--
Bruce Hagen
MS-MVP [Mail]
Imperial Beach, CA
"Pete B" <petes...@comcast.net> wrote in message
news:OwuuR1Z$JHA....@TK2MSFTNGP02.phx.gbl...
Pete B
Nope, I don't buy that philosophy at all. Furthermore, I have been using MS email since the days of Win 3, and during all my years of working at a firm with 10K+ employees using the same, and in contact throughout my career with other such large firms, and as a programmer who designed and put into use many different apps that used VBA to manipulate email by composing, altering, sending, receiving, and forwarding thousands of emails from under control of automation from within other applications all without any user input, I never once can recall anyone who had a corrupted email database... ever. Not from any source at all, EXCEPT from a deliberate virus attack or from a damaged HDD, and even those could usually be recovered to a great extent.
I have never even heard of ANYONE who had such a problem, including my non-computer-literate acquaintances who barely know how to turn a PC on. But I don't doubt for one second that somebody AT MICROSOFT was able to screw things up that way; they have lots of practice.....
Like I said, if the email client is such a vulnerable pathetic program, then the solution is to fix the email clinet, not to tell everyone to refrain from doing things that are universally practiced throughout the software world. And even though OEx is history, the email function is still here like always, including the message db. So the advice is still not justified IMO.
The one thing I do fully agree with is not using **anything** with Norton's name on it, that company puts out poison that totally hijacks a system and seldom does its work without screwing up.
--
Pete B
"N. Miller" <anon...@msnews.aosake.net> wrote in message news:1rozlr2v...@msnews.aosake.net...
Pete B
Thanks to you and PA Bear for all the help and advice.
--
Pete B
"Bruce Hagen" <Nos...@mymail.invalid> wrote in message news:%2309fa4Z$JHA....@TK2MSFTNGP02.phx.gbl...
Bruce Hagen
You're welcome.
--
Bruce Hagen
MS-MVP [Mail]
Imperial Beach, CA
"Pete B" <petes...@comcast.net> wrote in message
news:u5Q01Sb$JHA....@TK2MSFTNGP04.phx.gbl...
PA Bear [MS MVP]
statement, Pete.
AV scanning of incoming & outgoing mail is not necessary and it /has/ caused
corruption for thousands of OE users over the years.
Pete B wrote:
<blither snippage>
> ...I never once can recall anyone who had a corrupted email
> database...
N. Miller
> Well, that would be true if all email viruses and malware and spam behaved
> as you suggest, and if all AV programs followed your rules.
Those aren't my "rules", just observations of activity in the real world.
> But me, I'd rather catch the problem **before** I opened the email.
Alas, your AV scanner will not catch a zero day virus. They do exist, and
you'd better know how to handle one.
Modern email clients have safety features WRT handling active content in
email. Unless you override them, you won't get bit. You can do whatever you
wish, but nothing you do changes the way things are in the real world. You
may even hang garlands of garlic cloves at your doors and windows, if you
wish to repel vampires! ;)
Pete B
And I still disagree that scanning mail is "unnecessary". If that is the case, so is scanning anything else "unnecessary". In the case of a download that can affect an entire database, I'd say scanning whatever is going to be put into it is not only necessary, it is MANDATORY. Now, if you are talking about the AV scanning process itself being the danger, that may be the case if the AV software somehow fails while files are open and such, but hell, the same thing happens during a power failure, or worse, or when something "hangs" your PC (like...ahem... an installation of some new Windows software) and you cannot even do a soft reboot so you have to either power down or do a hard reboot, or last, my ISP itself often "hangs" even in the middle of fetching mail or a file and my whole system freezes with no way to exit other than a shutdown. And after years with WinXP Pro I have rarely ever seen that stuff corrupt a file either, INCLUDING hanging during a time when an email is open. (Win 98/ME and earlier is a whole 'nuther story, though).
Unless you are talking Norton's, that stuff kills a PC before you even open the box and install it.....
And finally, like I said, if the email program on MS Windows is so vulnerable, then MS should fix it so it is damage-proof, rather than just give folks all the more reason to switch to Firefox.....
--
Pete B
"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message news:ePsrj%23f$JHA....@TK2MSFTNGP03.phx.gbl...
PA Bear [MS MVP]
in June 2006 (yes, while Vista was still in beta) and all further efforts
and monies were devoted solely to Windows Live Mail [AKA Windows Live
(Hot)Mail Desktop].
What you see in OE and Windows Mail now is as good as it's ever going to
get.
Judging from beta builds, Win7 [AKA Vista SP3 in some circles] will not
include any default Mail Client.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
Pete B wrote:
<blither snippage>
> And finally, like I said, if the email program on MS Windows is so
> vulnerable, then MS should fix it so it is damage-proof, rather than just
> give folks all the more reason to switch to Firefox.....
>
>
Pete B
All the more customers for other mail clients. There really is nothing super-special about MS email anyway.
--
Pete B
"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message news:%23Wiyqao$JHA....@TK2MSFTNGP02.phx.gbl...
Pete B
> you'd better know how to handle one.
>
> Modern email clients have safety features WRT handling active content in
> email. Unless you override them, you won't get bit. You can do whatever you
> wish, but nothing you do changes the way things are in the real world. You
> may even hang garlands of garlic cloves at your doors and windows, if you
> wish to repel vampires! ;)
Since, according to the information on the MS website, the "zero-day" virus is NOT an email virus, your warnings are not applicable to this topic. Best you direct those garland tricks to those who use Internet Explorer in general, because that is where the problem occurs:
http://www.microsoft.com/technet/security/advisory/972890.mspx
".... Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
We are aware of attacks attempting to exploit the vulnerability.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
.......
Mitigating Factors:
. Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.
. By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
. By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
. In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. ..."
******************
Any user who clicks on a link in an email without knowing the safety of the target of the link deserves what they get.
BTW Kaspersky's warns a user who tries to select such a link no matter where or how, and as well, Kaspersky's would include this email link target in their list of forbidden sites as soon as they learned about the problem. Like I said, it really is not an email problem, it is just another one of the countless myriad of Internet Explorer attacks that run rampant these days. The entire root and sole cause of the problem is the malicious attacker, anyway, that is where the vigilance should be centered.
Nothing you have said justifies or even really concerns disabling scanning of emails. Furthermore, that scanning need applies to any email client, not just IEx, because this problem could happen with any client if the user was running IE. The problem is as usual in Internet Explorer, that is where the fix (and your attention) should be focused.
--
Pete B
"N. Miller" <anon...@msnews.aosake.net> wrote in message news:16kemmw1...@msnews.aosake.net...
N. Miller
On Tue, 7 Jul 2009 09:15:23 -0500, Pete B wrote:
>> Alas, your AV scanner will not catch a zero day virus. They do exist, and
>> you'd better know how to handle one.
>>
>> Modern email clients have safety features WRT handling active content in
>> email. Unless you override them, you won't get bit. You can do whatever you
>> wish, but nothing you do changes the way things are in the real world. You
>> may even hang garlands of garlic cloves at your doors and windows, if you
>> wish to repel vampires! ;)
> Since, according to the information on the MS website, the "zero-day" virus is NOT
> an email virus, your warnings are not applicable to this topic.
Eh? A "zero day virus" is *ANY* virus released by the malware authors, and
picked up by a computer user *BEFORE* the user's AV vendor has definitions
for that virus. It is a brand spanking new damned virus, which will evade an
AV scanner precisely because the AV vendor has not had an example from which
to derive a definition. They damned well do exist, and you damned well will
encounter one some day.
> Nothing you have said justifies or even really concerns disabling scanning of emails.
Nor has anything you said justified enabling scanning of email.
> Furthermore, that scanning need applies to any email client, not just IEx ...
Eh? Since when is MSIE an email client? It is an HTTP client, i.e, a "web
browser". Nothing more, nothing less.
> ... because this problem could happen with any client if the user was running IE.
> The problem is as usual in Internet Explorer, that is where the fix (and your
> attention) should be focused.
Heh. Maybe I don't need AV scanning of email because I don't use MS Internet
Explorer as my default web browser! ;)
Pete B
And here's an astounding, absolutely mind-blowing fact that you seem totally oblivious of: NO virus or malware, of any kind or form, that has never been seen before will be detected by ANY security system in the universe, NO MATTER what the source of the attack. ALL malware is "zero-day" malware for its initial appearance; your whole line of reasoning is flawed because it is based on that fact. Again, the virus has nothing that is specific to any email function (according to the MS documentation), email is simply the delivery vehicle as with zillions of other viruses. Scanning emails detects such viruses, but most viruses come through web-based attacks that do not involve email. In any case, detecting the **source** of the attack is what matters, and Kaspersky's and other AV software programs already do that, by detecting web sources that are not certified safe to begin with, whether they are likely to be infectious or not.
There are thousands of varieties of malware that are attacking PCs every hour, all you have to do is set up a simple honey pot to see that. Attacks via emails are the second-largest type of viral malware, so to ignore that source is just plain foolish. But you go ahead and ignore the second largest source of viral attacks on the net last year. Not me, I like to catch things BEFORE they do damage, not after the damage is done.
I will say it again: NOTHING you or anyone else said in this thread justifies refraining from scanning incoming email traffic to my PC. NOTHING anyone said even applies exclusively to email attacks. ALL the concern voiced here has been about "damage to email databases" and the like, which problem can occur from any number of different PC systems and software, among which good AV software is the LEAST likely to cause such problems.
My AV software, like all good AV software these days, as well examines incoming email for other types of malicious content or activity beyond viruses, and it does an excellent job of detecting and preventing such intrusive activity; it even "learns form doing as it goes", so that it does exactly what I want, and it learns very well through an interactive process. I would not abandon that functionality ever, and certainly not because MS cannot design an internet browser that is decently well protected from viral attacks (which to be honest is not MS's fault, it is the hackers that bear the blame).
But you go ahead and sit there in your little security blanket bubble doing nothing, waiting until doomsday strikes. As for me, I am done discussing this. I know I am protected as well as I can be, that is enough for me.
--
Pete B
"N. Miller" <anon...@msnews.aosake.net> wrote in message news:up6upiku...@msnews.aosake.net...
N. Miller
> I know that's why it is called a zero-day virus, you're the one that emphasized
> the term. Guess what? Day zero is past, and it is doubtful that any AV software
> worth its salt has not been updated of that particular danger at this point.
> Let me guess, though: you think that once the virus is in the AV databases,
> it goes away never to be seen again; yeah, right, like that'll happen....
Silly boy. Virus writers are constantly writing new code in attempts to get
around the current AV definitions. It is like an arms race. Sooner, or
later, you are going to lose.
> And here's an astounding, absolutely mind-blowing fact that you seem totally
> oblivious of: NO virus or malware, of any kind or form, that has never been
> seen before will be detected by ANY security system in the universe, NO MATTER
> what the source of the attack.
Silly boy. That is exactly what I have been saying. What you seem to be
willfully ignoring is that virus writers are always working on the next
"zero day exploit".
> Scanning emails detects such viruses, but most viruses come through web-based
> attacks that do not involve email.
Silly boy. AV email scanning requires a Rube Goldberg kludge with MSOE, in
particular, tends to choke on. And is a redundant measure, to boot,
considering that the on-access, memory resident scanner will still alert on
the potential infection.
> In any case, detecting the **source** of the attack is what matters, and
> Kaspersky's and other AV software programs already do that, by detecting web
> sources that are not certified safe to begin with, whether they are likely to
> be infectious or not.
And they do so quite effectively without have to scan the email.
> There are thousands of varieties of malware that are attacking PCs every hour ...
Cite, please. I don't see even tens of attacks per day against my PC.
> But you go ahead and ignore the second largest source of viral attacks on the net
> last year. Not me, I like to catch things BEFORE they do damage, not after the
> damage is done.
Silly boy. E-mail borne viruses can't do any damage without active
participation of the user.
> I will say it again: NOTHING you or anyone else said in this thread justifies
> refraining from scanning incoming email traffic to my PC.
Silly boy. You can do any damned thing that pleases you. You can even call a
dog's tail a leg, if it pleases you: But that won't make a dog a five legged
creature.
For the rest of us, reality is all that matters.
> But you go ahead and sit there in your little security blanket bubble doing nothing,
> waiting until doomsday strikes.
It is you who is living inside a bubble. It may even burst on you some day.
One way, or the other.
Twayne
> On Wed, 8 Jul 2009 09:30:40 -0500, Pete B wrote:
>
>
>> I will say it again: NOTHING you or anyone else said in this thread
>> justifies refraining from scanning incoming email traffic to my PC.
>
> Silly boy. You can do any damned thing that pleases you. You can even
> call a dog's tail a leg, if it pleases you: But that won't make a dog
> a five legged creature.
Silly is right. Aside from a few obvious but mostly irrelevant statement
you made and which I'm not commenting on, there certainly can be
considerable value to scanning incoming e-mails for viruses. It's
possible to catch them that way while they're still in buffers and
before they've even touched the hard drive which is infinitely more
efficient than waiting for them to trigger after they've landed on the
disk surface.
In fact, you've touched on sort of a pet peeve of mine: Scanning of
outgoing e-mails is something that can, not does, create situations
where e-mails can appear to have been sent but were in reality dropped
into the ether. It's an understood mechanism that's been described and
defined many times over by many people and easy to understand without a
lot of technical knowledge.
But ... the damage allegedly done by scanning incoming e-mails is not
well understood, is not a known mechanism, and nowhere does any web site
or paper I've ever found describe how and why an incoming e-mail can be
damaged or cause any damage to anything because an AV is scanning
incoming mails. There are some who claim anecdotal evidence of it
happening but not with any sureness or credibility that I can
understand. I've asked several times on various groups for someone to
explain the mechanism of the damage done to me, but no one to date can
do it.
I don't deny that it's possible, but I can't find anything that
proves the point, making me think that it is no more likely to occur
than any other file corruption anywhere else in a computer system.
I scan all of my incoming e-mails and always have since I gained the
ability to do so, and have never experienced a problem or I might have a
different opinion<g>. I monitor and receive e-mails from 12 different
accounts on a daily basis and depending on what's going on at any
specific time, that has been as high as 22 different accounts. That's
quite a few e-mails, so apparently at least in my case, it's not going
to be a problem, ever. As with scanning outgoing mails though, it's
possible for some people to also never experience the timing situation
that results in losing mails to the ether. In that direction it's all
timing dependent. Thus, I understand it could be "my case" that's never
going to have a problem, but ... I'd really love to know whether it's
just "my case" or all cases.
If anyone can provide any citation of the mechanism of scanning
incoming e-mails causing damage to anything, I would certainly
appreciate seeing it. Please, NOT the instructions to just turn off
e-mail scanning or "all" email scanning; I'm looking for verifiable,
credible information about how it happens, why it happens, and
basically, whether it really happens with incoming e-mails.
Woof! Sorry for the long tangent. To synopsize: Outgoing e-mails, yes,
scanning can definitely cause problems and it's well defined. But what
about with incoming? I suspect it creates no problem and all the
original hoopla was because many programs didn't separate in/out so you
use/kill both or nothing at all. Then the "myth" didn't keep up with
technology.
Regards,
Twayne
N. Miller
> "N. Miller" <anon...@msnews.aosake.net> wrote in message
> news:ns1c0dvl...@msnews.aosake.net
>> On Wed, 8 Jul 2009 09:30:40 -0500, Pete B wrote:
> ...
>>> I will say it again: NOTHING you or anyone else said in this thread
>>> justifies refraining from scanning incoming email traffic to my PC.
>> Silly boy. You can do any damned thing that pleases you. You can even
>> call a dog's tail a leg, if it pleases you: But that won't make a dog
>> a five legged creature.
> Silly is right. Aside from a few obvious but mostly irrelevant statement
> you made and which I'm not commenting on, there certainly can be
> considerable value to scanning incoming e-mails for viruses. It's
> possible to catch them that way while they're still in buffers and
> before they've even touched the hard drive which is infinitely more
> efficient than waiting for them to trigger after they've landed on the
> disk surface.
Do you realize that by the time your AV is scanning that attachment, it is
already on your hard drive? That is an unavoidable fact of life. Your AV
can't touch that attachment until after it is downloaded from the server.
> But ... the damage allegedly done by scanning incoming e-mails is not
> well understood, is not a known mechanism, and nowhere does any web site
> or paper I've ever found describe how and why an incoming e-mail can be
> damaged or cause any damage to anything because an AV is scanning
> incoming mails. There are some who claim anecdotal evidence of it
> happening but not with any sureness or credibility that I can
> understand. I've asked several times on various groups for someone to
> explain the mechanism of the damage done to me, but no one to date can
> do it.
I've not scanned incoming email in years, so I don't have a way to examine
the mechanism. But I will begin with one common symptom: The email client
POP3 server name is changed from 'pop.server.com' to '127.0.0.1'. I've never
had the opportunity to examine the Advanced properties, to check the port
number, but I'll wager it is also changed: From '110' to 1110', or similar.
The mechanism is actually simple to guess at from that symptom. AV email
scanner interposes as a proxy, becoming a POP3 server in its own right,
listening on port 1110 for incoming connections, while interacting with the
actual mail server through port 110.
So MS Outlook Express connects with '127.0.0.1:1110' and waits for the POP3
transaction to proceed. AV scanner puts MSOE "on hold" while it connects
with 'pop.server.com:110', and downloads the email to a local temp folder on
the local HDD. Normal POP3 commands, so the server clears the mailbox, and
all the email is now in temp folder somewhere on the local HDD. AV now
starts scanning the contents of that temp folder. More time elapses than
MSOE expects, so MSOE throws up a "server not responding" error, and closes
the connection.
Now, if this had been the connection to the actual mail server, that server
would not delete any email from the mailbox, because the PO3 session did not
advance that far. But who knows what the AV "mail server" will do with the
temp files when the client closes the connection?
> I scan all of my incoming e-mails and always have since I gained the
> ability to do so, and have never experienced a problem or I might have a
> different opinion<g>.
I can't say I have experienced corruption, but I have experienced oddness
that stopped when I stopped scanning the incoming email. Since the AV is
still running, whether it is scanning email, or not, it will alert on any
attempt to manipulate a malicious attachment. I've discovered that it is
damned hard to manipulate the EICAR file locally, for email tests, without
the AV barking. Not that EICAR is malicious: It is not, it is a text file,
which is included as a signature in AV scanners. The AV scanner is supposed
to recognize the signature of the EICAR file, and alert as if it was
malicious. So you can know the AV is actually doing its job. So, because
just moving the EICAR file around brings up alerts, I know the AV scanner
will alert when trying to manipulate an infected file.
> Woof! Sorry for the long tangent. To synopsize: Outgoing e-mails, yes,
> scanning can definitely cause problems and it's well defined. But what
> about with incoming? I suspect it creates no problem and all the
> original hoopla was because many programs didn't separate in/out so you
> use/kill both or nothing at all. Then the "myth" didn't keep up with
> technology.
OTOH, since, in my experience, the AV scanner barks whenever it encounters
an infected file, whether it is scanning email, or not, I have decided that
email scanning is, essentially, wasteful redundancy. I follow the "KISS"
principle: "Keep It Simple, Stupid". Email scanning violates "KISS", without
demonstrably enhancing protection. So I'll not be scanning incoming email.
At least until somebody can demonstrate how a virus can get past the local,
memory resident, on access scanner, if the email scanner doesn't catch it
first.