Email scanning - POP3S 995 (SSL)

Discussion in 'NOD32 version 2 Forum' started by Mover, Oct 28, 2006.

Thread Status:
Not open for further replies.
  1. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    Does NOD32 scan email and attachments when it is being received using POP3S (port 995 SSL) incoming server ?

    From what I understand, SSL is encrypted email.

    My outgoing email is using SMTP (port 25).
     
  2. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
  3. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    SSL incoming email messages can not be scanned on winsock or port 995, as they are encrypted till they reach your email client (your MUI decrypts the message). The only chance would be a plugin for your e-mail client which accesses on API-Level the NOD32 engine for scanning after decryption.

    BTW, no AntiVirus can do this!
     
  4. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    In order for SSL encrypted streams to be scanned they would first need to be decrypted. NOD32 can not decrypt the SSL stream therefore cannot scan the data contained within. However... contents would be scanned by AMON after they arrive. So there isn't a security concern here.
     
  5. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    @Mover

    Found it:

    http://www.stunnel.org/

    Supposedly you can use this to scan SSL encrypted traffic with IMON. Can't tell you the particulars on that, but it might be worth a shot.

    -Cov
     
  6. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    IMHO, sTunnel provides encryption but not decryption.
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    This is a feature that KAV 6 has. It is a very cool feature, especially for those of us that use Gmail. I hope it gets added to the version 3 feature set. But as of right now NOD32 2.7 cannot scan sll (encrypted) ports.
     
  8. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    KAV scans SSL encrypted messages at the port or do you mean the plugin for Outlook?
     
  9. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    I don't understand your question. There is no plugin required for scanning ssl ports if you were to use KAV 6.
     
  10. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Interesting, didn't knew that. Where is this documented?
     
  11. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    I have not read any "documentation" on it but I have used KAV 6 for a while, while waiting for MP1, and can verify this.
     
  12. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Ok, it seams that KAV does this by hijacking the certificate which the SSL connection uses. After the data scan the message is forworded with a fake certificate to the MUI; but this will result defenetly in an Alert Message of a good MUI that the SSL certificate is invalid. So that's no good because you don't know if you can trust this message or not.
     
    Last edited: Oct 29, 2006
  13. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    That's true and quite annoying at time. Not all certificates could in "installed" with Opera, so could only be "accepted" which meant that I was alerted every time.
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Ladies and Gentlemen, this is the NOD32 Support Forum, please keep all topics to this. We do have another section here at Wilders to discuss all other antivirus software.

    Cheers

    Blackspear.
     
  15. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Sorry, ok so the anwser to this thread is, that at present NOD32 is for luck not able to scan SSL encrypted messages.
     
  16. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    If thats the case, how much more of a security risk is it to have an email get decrypted by an email client (ie Outlook) and then get scanned by NOD ? Obviously, the sooner a virus is detected, the better.

    Does anyone know for sure how NOD suppose to handle using SSL ? I've seen conflicting information when doing a search. From what I can see, on the Control Center, EMON shows that the Number of Files Scanned incrementing by 2 as soon as an email is received in the Inbox.
     
  17. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    NOD32 defenetly does not scan SSL port 995, or in other words the incoming message in plain decrypted text. If it could, would mean that the SSL certificate got hacked, what nobody wants. Any way, if you execute a file in your MUI , Amon will get active. The meaning of SSL is that the data stream can't be read during sending.

    An exeption is Outlook in combination with Emon, which scans the emails after they have been decrypted by Outlook. I mentioned this in a post before (i called it plugin with API access to NOD32). Emon does it in a similiar way.

    For my MUI exists a plugin, which also access the NOD32 scan engine on API level after decryption of the SSL message. But i don't use it.
     
  18. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    I'm not disagreeing with you. I was just looking for the detailed sequence of events that takes place when an email client like Outlook using NOD encounteres an incoming SSL stream. There was some conflicting or unclear information I was finding when doing a search.

    From what I've seen, EMON scans the email and its attachments the moment it appears in the Inbox without the user doing anything (ie open, preview, etc) to the received email (when using Outlook)

    There was some mention of other modules (AMON, IMON) that was making it unclear as to the sequence of events and at what exact point scanning of viruses was taking place.

    If anyone has a more secure method or app of handling incoming SSL email, please post it. Thanks for the responses.
     
  19. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Without Hacking or Hijacking the SSL Certificate, there is no other way.
     
  20. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    On-Access scanner will detect malicious code after the mail has arrived. Detection of malicious code does not require that the SSL stream be intercepted.
    • EMON uses MAPI to scan outlook email. This is an alternative method.
    • Thunderbird 1.5 allow messages to be scanned before they reach the inbox.

    There is no a security issue here.
     
  21. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    I couldn't have said it better:thumb:
     
  22. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Just to be clear with SSL, it is the connection between the email client (MUA or Mail User Agent) and mail server that is encrypted, not the email itself.
    Anything that travels through this encrypted connection (like a tunnel) appears from the outside to be encrypted. As soon as the email comes out of either end of the "SSL encrypted tunnel", it is not encrypted.

    This is different from encrypting the contents of an email with something like PGP or Enigmail. This way the email is encrypted whether the connection is encrypted or not. From sender to receiver, the email is encrypted.

    Even though the connection is encrypted between your MUA and mail server, the rest of the way from the sender is clear text.
     
    Last edited: Oct 29, 2006
  23. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Sorry even to get quiet tecnical now, IMHO this isn't totaly correct, or i miss understand some explanations of you. I quote because my english won't explain it in a better way.

    But enough of this tecnical stuff, i am getting headaches.
     
  24. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks for the technical clarification Tommy. :)
    Your explanation is more technically accurate.

    The main point I was trying to make was for the OP not to assume that his/her email is safe from all prying eyes just because the MUA connects via SSL. It is encrypted within that connection, however once outside either end of the connection, it is clear text.

    The idea was to show the difference between encrypting the content (which is always protected no matter where it travels) and encrypting the connection (which only protects the data while it passes through the connection).
     
  25. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Yes, it can scan...

    Read the #4 post of this topic: Gmail ;)
     
Thread Status:
Not open for further replies.