Email scanning - POP3S 995 (SSL)

Does NOD32 scan email and attachments when it is being received using POP3S (port 995 SSL) incoming server ?

From what I understand, SSL is encrypted email.

My outgoing email is using SMTP (port 25).

 

@Mover

http://www.eset.com/support/faq1.php?id=1102

There are some threads on here that talk about a product you can use that supposedly allows NOD32 to scan SSL traffic (never tried it myself though).

-Cov

 

SSL incoming email messages can not be scanned on winsock or port 995, as they are encrypted till they reach your email client (your MUI decrypts the message). The only chance would be a plugin for your e-mail client which accesses on API-Level the NOD32 engine for scanning after decryption.

BTW, no AntiVirus can do this!

 

In order for SSL encrypted streams to be scanned they would first need to be decrypted. NOD32 can not decrypt the SSL stream therefore cannot scan the data contained within. However... contents would be scanned by AMON after they arrive. So there isn't a security concern here.

 

@Mover

Found it:

http://www.stunnel.org/

Supposedly you can use this to scan SSL encrypted traffic with IMON. Can't tell you the particulars on that, but it might be worth a shot.

-Cov

 

IMHO, sTunnel provides encryption but not decryption.

 

This is a feature that KAV 6 has. It is a very cool feature, especially for those of us that use Gmail. I hope it gets added to the version 3 feature set. But as of right now NOD32 2.7 cannot scan sll (encrypted) ports.

 

KAV scans SSL encrypted messages at the port or do you mean the plugin for Outlook?

 

I don't understand your question. There is no plugin required for scanning ssl ports if you were to use KAV 6.

 

Interesting, didn't knew that. Where is this documented?

 

I have not read any "documentation" on it but I have used KAV 6 for a while, while waiting for MP1, and can verify this.

 

Ok, it seams that KAV does this by hijacking the certificate which the SSL connection uses. After the data scan the message is forworded with a fake certificate to the MUI; but this will result defenetly in an Alert Message of a good MUI that the SSL certificate is invalid. So that's no good because you don't know if you can trust this message or not.

 

That's true and quite annoying at time. Not all certificates could in "installed" with Opera, so could only be "accepted" which meant that I was alerted every time.

 

Ladies and Gentlemen, this is the NOD32 Support Forum, please keep all topics to this. We do have another section here at Wilders to discuss all other antivirus software.

Cheers

Blackspear.

 

Sorry, ok so the anwser to this thread is, that at present NOD32 is for luck not able to scan SSL encrypted messages.

 

If thats the case, how much more of a security risk is it to have an email get decrypted by an email client (ie Outlook) and then get scanned by NOD ? Obviously, the sooner a virus is detected, the better.

Does anyone know for sure how NOD suppose to handle using SSL ? I've seen conflicting information when doing a search. From what I can see, on the Control Center, EMON shows that the Number of Files Scanned incrementing by 2 as soon as an email is received in the Inbox.

 

NOD32 defenetly does not scan SSL port 995, or in other words the incoming message in plain decrypted text. If it could, would mean that the SSL certificate got hacked, what nobody wants. Any way, if you execute a file in your MUI , Amon will get active. The meaning of SSL is that the data stream can't be read during sending.

An exeption is Outlook in combination with Emon, which scans the emails after they have been decrypted by Outlook. I mentioned this in a post before (i called it plugin with API access to NOD32). Emon does it in a similiar way.

For my MUI exists a plugin, which also access the NOD32 scan engine on API level after decryption of the SSL message. But i don't use it.

 

I'm not disagreeing with you. I was just looking for the detailed sequence of events that takes place when an email client like Outlook using NOD encounteres an incoming SSL stream. There was some conflicting or unclear information I was finding when doing a search.

From what I've seen, EMON scans the email and its attachments the moment it appears in the Inbox without the user doing anything (ie open, preview, etc) to the received email (when using Outlook)

There was some mention of other modules (AMON, IMON) that was making it unclear as to the sequence of events and at what exact point scanning of viruses was taking place.

If anyone has a more secure method or app of handling incoming SSL email, please post it. Thanks for the responses.

 

Without Hacking or Hijacking the SSL Certificate, there is no other way.

 

On-Access scanner will detect malicious code after the mail has arrived. Detection of malicious code does not require that the SSL stream be intercepted.

• EMON uses MAPI to scan outlook email. This is an alternative method.
• Thunderbird 1.5 allow messages to be scanned before they reach the inbox.

There is no a security issue here.

 

I couldn't have said it better

 

Just to be clear with SSL, it is the connection between the email client (MUA or Mail User Agent) and mail server that is encrypted, not the email itself.
Anything that travels through this encrypted connection (like a tunnel) appears from the outside to be encrypted. As soon as the email comes out of either end of the "SSL encrypted tunnel", it is not encrypted.

This is different from encrypting the contents of an email with something like PGP or Enigmail. This way the email is encrypted whether the connection is encrypted or not. From sender to receiver, the email is encrypted.

Even though the connection is encrypted between your MUA and mail server, the rest of the way from the sender is clear text.

 

Sorry even to get quiet tecnical now, IMHO this isn't totaly correct, or i miss understand some explanations of you. I quote because my english won't explain it in a better way.

But enough of this tecnical stuff, i am getting headaches.

 

Thanks for the technical clarification Tommy.
Your explanation is more technically accurate.

The main point I was trying to make was for the OP not to assume that his/her email is safe from all prying eyes just because the MUA connects via SSL. It is encrypted within that connection, however once outside either end of the connection, it is clear text.

The idea was to show the difference between encrypting the content (which is always protected no matter where it travels) and encrypting the connection (which only protects the data while it passes through the connection).

 

Yes, it can scan...

Read the #4 post of this topic: Gmail