Port 995 & TLS.

Discussion in 'NOD32 version 2 Forum' started by Black20VT, Jun 19, 2003.

Thread Status:
Not open for further replies.
  1. Black20VT

    Black20VT Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    22
    Location:
    England
    Hi,

    Unless I've missed it, how does NOD32 V2 handle scanning POP3 mail that comes through Port 995 using TLS?

    My understanding is that the mail in encripted, so how does the 'Winsock' layer scan this?

    o_O

    Thanks,

    Chris.
     
  2. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi,

    IMON is not scanning encrypted e-mails.

    Rgds,

    jan
     
  3. Black20VT

    Black20VT Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    22
    Location:
    England
    Hi Jan,

    Thanks for your reply.

    If that is the case, how can I scan my encripted mails before any damage can be done?

    I'm using The Bat! as my e-mail client and use a direct AV plug-in with DrWeb that works very well. Are there plans to develop a new plug-in to be used with The Bat! and NOD32 V2 as there was with NOD32 V1?

    My license renewal with DrWeb is almost due and am currently assessing the competition, hence my questions.

    Cheers,

    Chris.
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Black20TV,

    Usually, encrypted email relies heavily on signed keys. I'll take it, you don't sign a key unless you've verified it, and thus aclaimed the key as trustworthy. Taking this into account, plus the fact there's no malware ITW capable of encrypting emails (this has to be done by the one owning the private key): what damage are you referring to?

    regards.

    paul
     
  5. Black20VT

    Black20VT Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    22
    Location:
    England
    Hi Paul,

    The security certificate is only for the connection between the server hosting my email and my email client (The Bat!). Therefore, the mail itself may have come from an untrustworthy source.

    I hope this makes sense!?

    Cheers,

    Chris.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I see; that's loud and clear. Just curious: besides that, you aren't referring/using PGP or sortalike encryption software?

    Sure it does ;)

    regards.

    paul
     
  7. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    TLS stands for Transport Layer Security, a new name for Netscape SSL (Secure Socket Layer). It can be applied to several protocols (like SMTP, POP3, IMAP) to get the same security benefits that users get normally with data encryption over HTTPS. In other words, it is a "tunnelling" protocol useful to assure the privacy of data exchange. TLS is quite useful for the privacy of data, but it cannot do anything against the type of data (rogue attachments, scripts) that users get by his own client (in our case, a mail user agent).

    Sorry for the poor explanation... but finally I'm leaving the office :cool:

    ciao,
    Paolo.
     
  8. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    I have the same situation. POP3 server is on Port 995; SMTP server is on port 495. This is plain old email, but is set up that way so I can use AT&T WN email addresses when connected to the Internet via SBC ADSL.

    Many things are impossible or very difficult with my setup. For example, Zone Alarm's Mail Safe protection is useless.

    I also have other email addresses managed by the same email client -- those addressess use normal POP3 server ports.

    I had to use the Stunnel program to be able to run the K9 spam filter program. Wonder if Stunnel could be used so that IMON would work?
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Paolo,

    Thanks - I know ;)

    Seems OK to me :cool:

    Enjoy a weekend well deserved!

    regards.

    paul
     
  10. Black20VT

    Black20VT Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    22
    Location:
    England
    Hi Paolo,

    That explanation is fine! :)

    But, it still doesn't really answer my question. Is there anything in NOD32 V2's artillery that will protect my mail other than saving anything to my local HD?

    An example of a possible problem is that I could receive a message with a virus through TLS, forward it onto a friend and the whole process has bypassed any sort of virus scanning from NOD32 V2.

    Now IMHO, email in possibly the greatest source for virus infection and if I can receive a mail and send it on without any interuption from NOD32 V2, then I'm concerned.

    As mentioned earlier, V1 of NOD32 had a plug-in that operated with The Bat! to eliminate this problem, are there any plans for this to happen with V2, or even any other option open to me?

    Thanks,

    Chris.
     
  11. Black20VT

    Black20VT Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    22
    Location:
    England
    Any further news/suggestions on this? o_O

    Thanx.
     
  12. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Sorry, I really don't know yet if IMON is "compatible" with TLS, I don't have such deep technical details about the the implementation of IMON and at the monent I don't have enough time to make tests, so I suggest you to send a PM to Jan. By the way, did you already test IMON under this condition? I mean: did you try to send to yourself an eicar.com over a protected ("TLSed") mail connection?

    ciao,
    Paolo.
     
  13. Black20VT

    Black20VT Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    22
    Location:
    England
    Hi Paolo,

    To be honest, with a combination of dial-up (NOD32 V2 download is over 5MB) and currently running DrWeb (I've heard about the horror stories about conflicts and have had first hand experience) I'm not really happy running this particular trial myself.

    I was therefore hoping that someone on this forum would know the answer, but it doesn't appear that way?

    Oh well, it looks like I'm going to continue with DrWeb with the TB! plug-in for the forseeable future, which is fine, as it works really well.

    Thanks for your help and any further news/info would be appreciated.

    Cheers.
     
  14. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi Black,

    sorry for the delay - we have really a lot of thing to do here. :)

    >I'm using The Bat! as my e-mail client and use a direct AV plug-in with DrWeb that works very well. Are there plans to develop a new plug-in to be used with The Bat! and NOD32 V2 as there was with NOD32 V1?

    I don't know exactly what plugin in v1 do you mean. IMON works on the Winsock level and it's independent on the e-mail client.

    >Therefore, the mail itself may have come from an untrustworthy source.

    The user should be aware from what souce is the e-mail coming before opening it.

    >Now IMHO, email in possibly the greatest source for virus infection and if I can receive a mail and send it on without any interuption from NOD32 V2, then I'm concerned.

    Anyway AMON would stop a possible virus when attepting to save it to the disk. It's not usual that the AV programs would open the encrypted e-mails.

    Thks., :)

    jan
     
  15. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi marti,

    >I have the same situation. POP3 server is on Port 995; SMTP server is on port 495. This is plain old email, but is set up that way so I can use AT&T WN email addresses when connected to the Internet via SBC ADSL.

    You can try to enter the POP3 port 995 to the IMON setup.

    >Wonder if Stunnel could be used so that IMON would work?

    Have you tried it?

    Thanks, :D

    jan
     
  16. Black20VT

    Black20VT Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    22
    Location:
    England
    No worries.

    I think this was possibly developed by Ritlabs themselves. It was a plug-in that scanned mails as they arrived. If it was found the be infected, you can put the mail in a 'Quarantine' folder with the client.

    Fair enough, but what if they don't keep their virus definitions up to date? I know of many people that haven't updated their virus definitions for months on end, including fellow family members (much to my displeasure! :rolleyes:)

    Again, this is fair enough, but with security on the internet becoming more and more of an issue, I feel more people will start to use TLS. In this case, things that are opended within the client rather than being saved to disk will remain unchecked by any virus software.

    So for my particular usage, IMON in unable to check TLS received mail and AMON is unable to scan the mail unless I save messages to my hard disk?

    As I expect most people use Outlook Express for e-mail, is there an option within this to use TLS? If this is the case, I feel this is a vulnerability and a window for a virus to infect a machine.

    Sorry for going on, but I run quite a tight ship here as I'm sure many people do and this appears to be a potential opening.

    What are people's thoughts?

    Thanks.
     
  17. Tomas

    Tomas Eset Staff Account

    Joined:
    May 2, 2003
    Posts:
    216
    Hi Black20VT and all others

    I'ts technically not possible to scan e-mail sent through secure channel. Imon is getting transmited data in the same form as they are sent to/received from network. So, if it were possible to even read, or to modify this data, this wouldn't be secure channel ;))

    Tomas
     
  18. ehinmers

    ehinmers Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    1
    Re: Port 995 & TLS.

    Hi Tomas, Black20VT, and all other interested parties.

    As a recent NOD32 adopter who ditched Norton AV's bloatware, I'm also very interested in finding a way to have IMON scan incomming POP3 email over a TLS/SSL connection. Sending out your POP servers address, username and password in clear text durring every session to every network in between you and the source definitly seems to be the worst of both evils in my book, but I still have to admit that I'm little concerned about having no effective means of scanning incomming mail because of this.

    I definitly have to agree that scanning encrypted email in raw form isn't technically possible or feasible, and it wouldn't be considered secure if you could. I am curious though if the idea of adding a SSL crypto engine to IMON has been tossed around so it can intercept and scan encrypted SSL/TLS streams on the fly? SSL encryption isn't tied to a particular client or user, it's just a way for the client to negotiate an encrypted session with the server using the public and private keys.

    In my particular case, my server employs an OpenSSL self signed wildcard cert which is primarily used for HTTPS (Apache/OpenSSL) and POP3S (Qpopper with TLS) connections to my colo box. The cert itself is saved to the keyrings on my individual workstations so SSL aware clients (IE and my mail client) automatically validate it as a trusted cert. I guess I'm just one of those overly secure minded fools who uses encryption for just about anything I possibly can. :D

    --Eric
     
    Last edited: Jul 19, 2004
Thread Status:
Not open for further replies.