Port 995 & TLS.

Hi,

Unless I've missed it, how does NOD32 V2 handle scanning POP3 mail that comes through Port 995 using TLS?

My understanding is that the mail in encripted, so how does the 'Winsock' layer scan this?



Thanks,

Chris.

 

Hi,

IMON is not scanning encrypted e-mails.

Rgds,

jan

 

Hi Jan,

Thanks for your reply.

If that is the case, how can I scan my encripted mails before any damage can be done?

I'm using The Bat! as my e-mail client and use a direct AV plug-in with DrWeb that works very well. Are there plans to develop a new plug-in to be used with The Bat! and NOD32 V2 as there was with NOD32 V1?

My license renewal with DrWeb is almost due and am currently assessing the competition, hence my questions.

Cheers,

Chris.

 

Hi Paul,

The security certificate is only for the connection between the server hosting my email and my email client (The Bat!). Therefore, the mail itself may have come from an untrustworthy source.

I hope this makes sense!?

Cheers,

Chris.

 

TLS stands for Transport Layer Security, a new name for Netscape SSL (Secure Socket Layer). It can be applied to several protocols (like SMTP, POP3, IMAP) to get the same security benefits that users get normally with data encryption over HTTPS. In other words, it is a "tunnelling" protocol useful to assure the privacy of data exchange. TLS is quite useful for the privacy of data, but it cannot do anything against the type of data (rogue attachments, scripts) that users get by his own client (in our case, a mail user agent).

Sorry for the poor explanation... but finally I'm leaving the office

ciao,
Paolo.

 

I have the same situation. POP3 server is on Port 995; SMTP server is on port 495. This is plain old email, but is set up that way so I can use AT&T WN email addresses when connected to the Internet via SBC ADSL.

Many things are impossible or very difficult with my setup. For example, Zone Alarm's Mail Safe protection is useless.

I also have other email addresses managed by the same email client -- those addressess use normal POP3 server ports.

I had to use the Stunnel program to be able to run the K9 spam filter program. Wonder if Stunnel could be used so that IMON would work?

 

Hi Paolo,

That explanation is fine!

But, it still doesn't really answer my question. Is there anything in NOD32 V2's artillery that will protect my mail other than saving anything to my local HD?

An example of a possible problem is that I could receive a message with a virus through TLS, forward it onto a friend and the whole process has bypassed any sort of virus scanning from NOD32 V2.

Now IMHO, email in possibly the greatest source for virus infection and if I can receive a mail and send it on without any interuption from NOD32 V2, then I'm concerned.

As mentioned earlier, V1 of NOD32 had a plug-in that operated with The Bat! to eliminate this problem, are there any plans for this to happen with V2, or even any other option open to me?

Thanks,

Chris.

 

Any further news/suggestions on this?

Thanx.

 

Sorry, I really don't know yet if IMON is "compatible" with TLS, I don't have such deep technical details about the the implementation of IMON and at the monent I don't have enough time to make tests, so I suggest you to send a PM to Jan. By the way, did you already test IMON under this condition? I mean: did you try to send to yourself an eicar.com over a protected ("TLSed") mail connection?

ciao,
Paolo.

 

Hi Paolo,

To be honest, with a combination of dial-up (NOD32 V2 download is over 5MB) and currently running DrWeb (I've heard about the horror stories about conflicts and have had first hand experience) I'm not really happy running this particular trial myself.

I was therefore hoping that someone on this forum would know the answer, but it doesn't appear that way?

Oh well, it looks like I'm going to continue with DrWeb with the TB! plug-in for the forseeable future, which is fine, as it works really well.

Thanks for your help and any further news/info would be appreciated.

Cheers.

 

Hi Black,

sorry for the delay - we have really a lot of thing to do here.

>I'm using The Bat! as my e-mail client and use a direct AV plug-in with DrWeb that works very well. Are there plans to develop a new plug-in to be used with The Bat! and NOD32 V2 as there was with NOD32 V1?

I don't know exactly what plugin in v1 do you mean. IMON works on the Winsock level and it's independent on the e-mail client.

>Therefore, the mail itself may have come from an untrustworthy source.

The user should be aware from what souce is the e-mail coming before opening it.

>Now IMHO, email in possibly the greatest source for virus infection and if I can receive a mail and send it on without any interuption from NOD32 V2, then I'm concerned.

Anyway AMON would stop a possible virus when attepting to save it to the disk. It's not usual that the AV programs would open the encrypted e-mails.

Thks.,

jan

 

Hi marti,

>I have the same situation. POP3 server is on Port 995; SMTP server is on port 495. This is plain old email, but is set up that way so I can use AT&T WN email addresses when connected to the Internet via SBC ADSL.

You can try to enter the POP3 port 995 to the IMON setup.

>Wonder if Stunnel could be used so that IMON would work?

Have you tried it?

Thanks,

jan

 

No worries.

I think this was possibly developed by Ritlabs themselves. It was a plug-in that scanned mails as they arrived. If it was found the be infected, you can put the mail in a 'Quarantine' folder with the client.

Fair enough, but what if they don't keep their virus definitions up to date? I know of many people that haven't updated their virus definitions for months on end, including fellow family members (much to my displeasure! )

Again, this is fair enough, but with security on the internet becoming more and more of an issue, I feel more people will start to use TLS. In this case, things that are opended within the client rather than being saved to disk will remain unchecked by any virus software.

So for my particular usage, IMON in unable to check TLS received mail and AMON is unable to scan the mail unless I save messages to my hard disk?

As I expect most people use Outlook Express for e-mail, is there an option within this to use TLS? If this is the case, I feel this is a vulnerability and a window for a virus to infect a machine.

Sorry for going on, but I run quite a tight ship here as I'm sure many people do and this appears to be a potential opening.

What are people's thoughts?

Thanks.

 

Hi Black20VT and all others

I'ts technically not possible to scan e-mail sent through secure channel. Imon is getting transmited data in the same form as they are sent to/received from network. So, if it were possible to even read, or to modify this data, this wouldn't be secure channel )

Tomas

 

Re: Port 995 & TLS.

Hi Tomas, Black20VT, and all other interested parties.

As a recent NOD32 adopter who ditched Norton AV's bloatware, I'm also very interested in finding a way to have IMON scan incomming POP3 email over a TLS/SSL connection. Sending out your POP servers address, username and password in clear text durring every session to every network in between you and the source definitly seems to be the worst of both evils in my book, but I still have to admit that I'm little concerned about having no effective means of scanning incomming mail because of this.

I definitly have to agree that scanning encrypted email in raw form isn't technically possible or feasible, and it wouldn't be considered secure if you could. I am curious though if the idea of adding a SSL crypto engine to IMON has been tossed around so it can intercept and scan encrypted SSL/TLS streams on the fly? SSL encryption isn't tied to a particular client or user, it's just a way for the client to negotiate an encrypted session with the server using the public and private keys.

In my particular case, my server employs an OpenSSL self signed wildcard cert which is primarily used for HTTPS (Apache/OpenSSL) and POP3S (Qpopper with TLS) connections to my colo box. The cert itself is saved to the keyrings on my individual workstations so SSL aware clients (IE and my mail client) automatically validate it as a trusted cert. I guess I'm just one of those overly secure minded fools who uses encryption for just about anything I possibly can.

--Eric