Does NOD32 scan email and attachments when it is being received using POP3S (port 995 SSL) incoming server ?

From what I understand, SSL is encrypted email.

My outgoing email is using SMTP (port 25).

@Mover

http://www.eset.com/support/faq1.php?id=1102

There are some threads on here that talk about a product you can use that supposedly allows NOD32 to scan SSL traffic (never tried it myself though).

-Cov

{QUOTE-> Does NOD32 scan email and attachments when it is being received using POP3S (port 995 SSL) incoming server ?

From what I understand, SSL is encrypted email.

My outgoing email is using SMTP (port 25). <-QUOTE}
SSL incoming email messages can not be scanned on winsock or port 995, as they are encrypted till they reach your email client (your MUI decrypts the message). The only chance would be a plugin for your e-mail client which accesses on API-Level the NOD32 engine for scanning after decryption.

BTW, no AntiVirus can do this!

In order for SSL encrypted streams to be scanned they would first need to be decrypted. NOD32 can not decrypt the SSL stream therefore cannot scan the data contained within. However... contents would be scanned by AMON after they arrive. So there isn't a security concern here.

@Mover

Found it:

http://www.stunnel.org/

Supposedly you can use this to scan SSL encrypted traffic with IMON. Can't tell you the particulars on that, but it might be worth a shot.

-Cov

{QUOTE-> @Mover

Found it:

http://www.stunnel.org/

Supposedly you can use this to scan SSL encrypted traffic with IMON. Can't tell you the particulars on that, but it might be worth a shot.

-Cov <-QUOTE}
IMHO, sTunnel provides encryption but not decryption.

This is a feature that KAV 6 has. It is a very cool feature, especially for those of us that use Gmail. I hope it gets added to the version 3 feature set. But as of right now NOD32 2.7 cannot scan sll (encrypted) ports.

{QUOTE-> This is a feature that KAV 6 has. It is a very cool feature, especially for those of us that use Gmail. I hope it gets added to the version 3 feature set. But as of right now NOD32 2.7 cannot scan sll (encrypted) ports. <-QUOTE}
KAV scans SSL encrypted messages at the port or do you mean the plugin for Outlook?

{QUOTE-> What do you mean? The plugin for Outlook? <-QUOTE}

I don't understand your question. There is no plugin required for scanning ssl ports if you were to use KAV 6.

{QUOTE-> I don't understand your question. There is no plugin required for scanning ssl ports if you were to use KAV 6. <-QUOTE}
Interesting, didn't knew that. Where is this documented?

{QUOTE-> Interesting, didn't knew that. Where is this documented? <-QUOTE}

I have not read any "documentation" on it but I have used KAV 6 for a while, while waiting for MP1, and can verify this.

Ok, it seams that KAV does this by hijacking the certificate which the SSL connection uses. After the data scan the message is forworded with a fake certificate to the MUI; but this will result defenetly in an Alert Message of a good MUI that the SSL certificate is invalid. So that's no good because you don't know if you can trust this message or not.

{QUOTE-> Ok, it seams that KAV does this by hijacking the certificate which the SSL connection uses. After the data scan the message is forworded with a fake certificate to the MUI; but this will result defenetly in an Alert Message of the MUI that the SSL certificate is invalid. So that's no good because you don't know if you can trust this message or not. <-QUOTE}

That's true and quite annoying at time. Not all certificates could in "installed" with Opera, so could only be "accepted" which meant that I was alerted every time.

Ladies and Gentlemen, this is the NOD32 Support Forum, please keep all topics to this. We do have another section here at Wilders to discuss all other antivirus software.

Cheers

Blackspear.

{QUOTE-> Ladies and Gentlemen, this is the NOD32 Support Forum, please keep all topics to this. We do have another section here at Wilders to discuss all other antivirus software. <-QUOTE}
Sorry, ok so the anwser to this thread is, that at present NOD32 is for luck not able to scan SSL encrypted messages.

{QUOTE-> Sorry, ok so the anwser to this thread is, that at present NOD32 is for luck not able to scan SSL encrypted messages. <-QUOTE}

If thats the case, how much more of a security risk is it to have an email get decrypted by an email client (ie Outlook) and then get scanned by NOD ? Obviously, the sooner a virus is detected, the better.

Does anyone know for sure how NOD suppose to handle using SSL ? I've seen conflicting information when doing a search. From what I can see, on the Control Center, EMON shows that the Number of Files Scanned incrementing by 2 as soon as an email is received in the Inbox.

NOD32 defenetly does not scan SSL port 995, or in other words the incoming message in plain decrypted text. If it could, would mean that the SSL certificate got hacked, what nobody wants. Any way, if you execute a file in your MUI , Amon will get active. The meaning of SSL is that the data stream can't be read during sending.

An exeption is Outlook in combination with Emon, which scans the emails after they have been decrypted by Outlook. I mentioned this in a post before (i called it plugin with API access to NOD32). Emon does it in a similiar way.

For my MUI exists a plugin, which also access the NOD32 scan engine on API level after decryption of the SSL message. But i don't use it.

{QUOTE-> NOD32 defenetly does not scan SSL port 995, or in other words the incoming message in plain decrypted text. <-QUOTE}

I'm not disagreeing with you. I was just looking for the detailed sequence of events that takes place when an email client like Outlook using NOD encounteres an incoming SSL stream. There was some conflicting or unclear information I was finding when doing a search.

From what I've seen, EMON scans the email and its attachments the moment it appears in the Inbox without the user doing anything (ie open, preview, etc) to the received email (when using Outlook)

There was some mention of other modules (AMON, IMON) that was making it unclear as to the sequence of events and at what exact point scanning of viruses was taking place.

If anyone has a more secure method or app of handling incoming SSL email, please post it. Thanks for the responses.

{QUOTE-> If anyone has a more secure method or app of handling incoming SSL email, please post it. Thanks for the responses. <-QUOTE}
Without Hacking or Hijacking the SSL Certificate, there is no other way.

{QUOTE-> Without Hacking or Hijacking the SSL Certificate, there is no other way. <-QUOTE}

On-Access scanner will detect malicious code after the mail has arrived. Detection of malicious code does not require that the SSL stream be intercepted.

EMON uses MAPI to scan outlook email. This is an alternative method.
Thunderbird 1.5 allow messages to be scanned before they reach the inbox.


There is no a security issue here.

{QUOTE-> On-Access scanner will detect malicious code after the mail has arrived. Detection of malicious code does not require that the SSL stream be intercepted.

EMON uses MAPI to scan outlook email. This is an alternative method.
Thunderbird 1.5 allow messages to be scanned before they reach the inbox.


There is no a security issue here. <-QUOTE}
I couldn't have said it better:thumb:

{QUOTE-> From what I understand, SSL is encrypted email. <-QUOTE}
Just to be clear with SSL, it is the connection between the email client (MUA or Mail User Agent) and mail server that is encrypted, not the email itself.
Anything that travels through this encrypted connection (like a tunnel) appears from the outside to be encrypted. As soon as the email comes out of either end of the "SSL encrypted tunnel", it is not encrypted.

This is different from encrypting the contents of an email with something like PGP or Enigmail. This way the email is encrypted whether the connection is encrypted or not. From sender to receiver, the email is encrypted.

Even though the connection is encrypted between your MUA and mail server, the rest of the way from the sender is clear text.

{QUOTE-> Just to be clear with SSL, it is the connection between the email client (MUA or Mail User Agent) and mail server that is encrypted, not the email itself. <-QUOTE}

Sorry even to get quiet tecnical now, IMHO this isn't totaly correct, or i miss understand some explanations of you. I quote because my english won't explain it in a better way.

{QUOTE-> SSL works at the socket level. SSL protects your messages by automatically encrypting the data as it travels between sockets. Data is automatically encrypted just before it goes out the door (socket), and automatically decrypted immediately after it enters the door.

SSL also provides the ability for both the client and server to identify themselves and enables applications to prohibit communications with unknown parties. This is accomplished by digital certificates which are exchanged between the sockets before they are secured.

During the initialization of the SSL communication, the server sends its certificate to the client. The server's certificate includes identifying information and also an encryption key which this client should use for the encrypted communication to follow and decrypt. The client is able to verify the authenticity of the certificate to prove to itself that it is indeed communicating with the correct mail server, otherwise an error is thrown.
<-QUOTE}

But enough of this tecnical stuff, i am getting headaches.

Thanks for the technical clarification Tommy. :)
Your explanation is more technically accurate.

The main point I was trying to make was for the OP not to assume that his/her email is safe from all prying eyes just because the MUA connects via SSL. It is encrypted within that connection, however once outside either end of the connection, it is clear text.

The idea was to show the difference between encrypting the content (which is always protected no matter where it travels) and encrypting the connection (which only protects the data while it passes through the connection).

{QUOTE-> Does NOD32 scan email and attachments when it is being received using POP3S (port 995 SSL) incoming server ? <-QUOTE}
Yes, it can scan...

Read the #4 post of this topic: Gmail (http://www.wilderssecurity.com/showthread.php?t=126298&highlight=stunnel) ;)

{QUOTE-> Yes, it can scan...

Read the #4 post of this topic: Gmail (http://www.wilderssecurity.com/showthread.php?t=126298&highlight=stunnel) ;) <-QUOTE}
Have you tried that? If this works there are two question?
- Is stunnel hijacking the certificate
- Is the MUA reacting with error messages?

{QUOTE-> Have you tried that? If this works there are two question?
- Is stunnel hijacking the certificate
- Is the MUA reacting with error messages? <-QUOTE}
I'm using it about 2 years, and everything works fine.

I will check that out right know.

Gmail already uses extensive file extension filtering and virus scanning. Anything that manages to get through will be scanned by EMON or AMON. Are there any other mail provider that support ssl and do not scan for file extensions or viruses?

{QUOTE-> Gmail already uses extensive file extension filtering and virus scanning. Anything that manages to get through will be scanned by EMON or AMON. <-QUOTE}
I prefer to know that the files are infected, or contains phishing, before I open it.
Even if it is only on the Junk mail that I never open...

{QUOTE-> Are there any other mail provider that support ssl and do not scan for file extensions or viruses? <-QUOTE}
I don't know...

{QUOTE-> Have you tried that? If this works there are two question?
- Is stunnel hijacking the certificate
- Is the MUA reacting with error messages? <-QUOTE}

From what I can tell from reading, stunnel redirects the requests on the regular port to the SSL port on the appropriate host. More of a translator I would think, kinda a middle man approach. stunnel performs the SSL connection and then routes it to your MUA via standard POP3.

So when it is being routed via POP3 NOD32 is then able to scan the unencrypted information for you before it reaches the MUA.

-Cov

I don't get this dam stunel to run with gMail >:(

{QUOTE-> I don't get this dam stunel to run with gMail >:( <-QUOTE}
1. Enable the POP3 on Gmail Settings
2. Configure your Email Client for Gmail - https://mail.google.com/support/bin/answer.py?ctx=%67mail&hl=en&answer=12103
3. If the 2. works, then go to the "stunnel.config" and set the "client = yes"
4. Make what I said on this post: http://www.wilderssecurity.com/showpost.php?p=718256&postcount=4

I tried it now, and works...