Infected mails

Discussion in 'Prevx Releases' started by pegas, Sep 21, 2009.

Thread Status:
Not open for further replies.
  1. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Today some nasty malware named Win32/TrojanDownloader.Small.NFG tried to infiltrate into my computer via an e-mail message through POP3. Fortunately ESET Smart Security did its job and caught that threat. However, I would like to also see Prevx doing something. So my question is:
    1) Does Prevx check the e-mail communication (POP3) in real time?
    2) If so, why ESS outran Prevx and was the first to catch this threat?
    3) If Prevx is not scanning mails in real time, how and when Prevx will catch infected mails?
    Thx for clarification.
     
  2. Mosqu

    Mosqu Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    69
    Location:
    Germany
    Prevx 3 isn't monitoring the communication - as far as I think. That would just be waste of resources. ;) As long as the malicious file is just "sleeping" on your hard drive as mail-attachment, it does no harm. If you (or who-/whatever) would try to execute it, then Prevx 3 would (hopefully) block it.
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Couldn't have said it better myself :thumb:
     
  4. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Before real-time email scanning became the rage with some AV vendors, the mantra used to be save and scan attachments before even thinking of opening them. I used to advise friends this in the hope they wouldn't just blindly open such attachments even from people they know. I believe that kind of thinking should still apply today. Unfortunately, it isn't and is one of the reasons why you hear media reports of infections spreading across networks.

    Today most of the infected attachments I've seen do look as if they come from unknown senders.
     
  5. Mosqu

    Mosqu Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    69
    Location:
    Germany
    If you open or run the attachment, the AVs will automatically scan it. - So where is the benefit of scaning before opening? Best is to let them stay closed. :)
     
  6. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Thx for the given thorough explanation that was supported by PrevxHelp as well :thumb: Very clear, so no other question.
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    The only reason I said to scan it first was to avoid opening or running the attachment thus keeping it closed as you said, but I take your point.
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Scanning before open is a valid point for exploits which would come directly from the mail reader (there have been some in the past) but Prevx blocks code execution at all levels so we would still intercept it.

    Our mentality is generally to scan a file as little as necessary - in most cases just when it could potentially become a threat to your system. We are able to accomplish this because of the design of our behavior monitoring and the fact that although we don't scan a file as soon as it is written or read, we still do see those events and can act upon them if needed.
     
Thread Status:
Not open for further replies.