Imon not scanning all mail

Discussion in 'NOD32 version 2 Forum' started by gberns, May 13, 2005.

Thread Status:
Not open for further replies.
  1. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    I am using the new, final 2.5 version and use Thunderbird as my mail client. I have it set to retrieve mail from Road Runner (my ISP), my Yahoo account, and my 2 Gmail addesses. Road Runner uses POP port 110, Yahoo uses port 1101 and gmail uses port 995. I have listed all these ports in the Imon setup. I have checked the radio button to put a message on all incoming email so I will know it is being scanned.

    My RR and Yahoo mail bear the NOD32 scanned messages have the scanned message. My gmail messages do not. I even put the gmail port number first in Imon to make sure it wasn't being skipped by being at the end. Made no difference.

    Any ideas out there?

    Thanks.

    Gary
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    You cannot scan secure connections like those used in GMail and many others (SSL/TLS). This is only possible via EMON i belive (using MS Outlook)...
     
  3. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    Are you saying that gmail is unable to be scanned if received by a POP3 client?
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Thats correct. Encrypted connections cannot be scanned by any antivirus.
    They can only be scanned in MS Outlook using dedicated scan module (like EMON for NOD32 or MS Outlook/Exchange provider for avast! for example).
    Thats because MS Outlook uses MAPI interface which is different than one used in other standard POP3 mail clients.
     
  5. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    Now I am going to start to appear dumb (my natural state). Obviously the mail is decrypted before I see it or I wouldn't be able to read it. Why is it not scanned when the mail client decrypts it? This looks like a rather large hole in my security.

    Gary
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    There are 3 stations:

    Mail Server -> Mail Scanner(Local) -> YOU (Mail client)

    Now mail client requests status check,mail server returns info that new mail is available. Mail client requests it and server sends the mail data.
    Now mail was requested by mail client,but since there is Mail scanner in between,data needs to be checked (intercepted on low level) and after that submitted to mail client.

    If the connection is encrypted,you cannot check it without breaking this 3 stage procedure (thats the whole point of encryption anyway).
    If you do,mail scanner won't be able to make any use of recieved data since it would expect it to be encrypted,but antivirus would send it unencrypted.

    It's a bit different in MAPI case. Mails are scanned when they are already on machine(this is the way how MAPI works),so they can be checked even if the server requires SSL,because mail is already in unencrypted form.
     
  7. Mephisto

    Mephisto Guest

    I find it odd that it can't scan encrypted mail - especially lately with the encrypted e-mail viruses making their rounds.

    As pointed out - at some point the mail becomes un-encrypted so that it's in a readable form ... the connection itself may not be able to be scanned, but the mail sure should.

    Sounds like other A.V.'s have found ways to do this and it is possible ... why can't Nod?

    http://www.silicon.com/software/security/0,39024655,39118922,00.htm
    http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci823563,00.html
    http://www.norman.com/News/Press_releases/2001/3717/en
    http://antivirus.about.com/od/vendorpressreleases/a/pr041503.htm
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Let's teach me how to decrypt SSL emails and I'll give you 1000 bucks. (no doubt there is a lot of people who would give you much more)
     
  9. Mephisto

    Mephisto Guest

    No comment on the articles? ... just a snide remark. (what else would i expect)

    So your saying all these articles are fabrications?
    Or is it sour grapes that your AV is sorely lagging behind the others?

    Read it and weep Marcos.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We're talking about SSL communication, not about password protected archives with the password listed in the email body.
     
  11. Happy Bytes

    Happy Bytes Guest

    Would you mind to discuss with me? If yes, then please explain me the difference between SSL encryption and encrypted email worms!

    Encrypted email worms are similar to SSL encryption as Flying lilac pig has common with a banana which you throw against your monitor...
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well if they (ESET guys) could decrypt SSL connections on-the-fly,there is no point of using SSL in the first place don't you think? So no,it's not possible to do that.
     
  13. Happy Bytes

    Happy Bytes Guest

    The point is that he doesnt know what a ENCRYPTED email worm is.

    A encrypted email worm is a FILE which gets transfered 1:1 from the sender.

    Basically you can speak about polymorphic encrypted email worms (Magistr for instance) methamorphic encrypted email worms (Jeans for instance) and archiv-encrypted email worms with password for unpacking (some Baggle worms) That's it! This has nothing to do with SSL!
     
  14. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Mephisto,

    Regarding Panda being able to scan for viruses on EFS (Encrypting File System), it must be able to access the private key used for encryption and recovery of the file system. This is usually available either through the Windows Domain structure or through the local Administrator account. Panda has the ability to access both of these. Since Panda has access to the key, it can access and decrypt the contents of the encrypted file system.

    The article you linked to from Techtarget discusses having antivirus software residing on the enduser's computer scan the encrypted e-mail, but only after SSL decryption. IMON is not able to do this, but EMON can, provided you use Microsoft Outlook as your e-mail program.

    I believe that using the combination of Outlook and EMON should be able to do what you are asking for.
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I dont know much, but from what I know, I would agree with this statement.
     
  16. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    I think what he means is that why can't NOD32 scan emails after it has arrived into your inbox. Sorry if this wan't his exact meaning or something... 4am here..cant think well!
     
  17. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    That is exactly what I meant.

    Didn't realize I was going to start such a discussion when I posted my simple gmail question especially since I couldn't tell a polymorph from an ectomorph if they were standing right in front of me.
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    For SSL connections,IMON doesn't do anything. AMON checks files as last line of defense for every other module. So if IMON POP3 scanner missed something (lets say because it was locked in archive),AMON will detect that file upon user extraction. If IMON HTTP missed the file for very same reason,AMON will detect it again. Its the same for all modules. It's ok if it gets detected at entry point,but sometimes that simply isn't possible (like in locked archive case or in your case with SSL connection for GMail). AMON always keeps an eye on local files.
     
Thread Status:
Not open for further replies.