***URGENT***: new NOD32 4.2BE clts scanning ALL past Outlook emails

Discussion in 'ESET Endpoint Products' started by Reedmikel, Feb 2, 2012.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    read means as email comes in my eset scans it and the attachments if any for malware.

    I don't rescan existing email in existing folders or any new email I send out.

    MS Outlook is integrated (meaning using) eset as it's AV scanner.

    If you used another product that was integratable with MS Outlook then that would be used.

    My screeen shot came from Esets advanced settings tab which I suspect you have as well in your version of eset. Right click on my eset icon in task bar reveals it.

    The notion of rescanning old yet stored in folders likely email is that a email from the distant past may have slipped by and older version of eset and is lurking ready to get you. I know you hit one of those but I have to admit I don't worry on that matter. Looks like eset took care of yours anyway.

    I would turn off this historical scan thingy.... low low risk eats up too much at your end.
     
  2. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Hmmm, then what is the difference between Email to scan's Received email vs Read email ?

     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I interpret Received as incoming now not yet read, and read as past tense ie read earlier. Their help documentation is not fully clear.
    To be "safe" you could tick all except sent.


     
  4. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    But earlier you said "read means as email comes in my eset scans it".

    I think you have proven my point that the documentation needs to be improved :)

    Marcos - can you answer my last series of posts? Tks - Mike

     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    You are right, I mispoke before got worried and brought up the image for you to see the actual setting.


    Where the h..ll is eset support? This is the official support forum right:mad:

    Why do I scan email anyway? For now I'll just turn it off till this is clear.
     
  6. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Sometimes I think the moderators go on vacation or something, as one day they reply, then we wait for days. Often I have to "bump" the thread to get attention.

    MARCOS - are you out there?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    I'm sorry for the delay but still waiting for a reply from developers.
     
  8. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Marcos - any word from the developers yet?
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    The only explanation is that another plug-in considered adding a special property as message modification and thus invoked scanning on message read. As suggested before, disabling scanning of read emails (ie. when the "read" event is invoked by a plug-in or the user by opening a message) would most likely help in this case.
     
  10. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    No, no other plug-ins are installed. I can tell you that ESET moved many OLD messages to an INFECTED ITEMS folder (that ESET created). Maybe you can have your developers get in touch with me since I think it is behaving differently than you expect.

    By the way, why does it take so long to get answers in this forum? I thought this was the official support forum, right? Do you need more staff? I am sure you are working hard, but you should be aware that many threads are taking too long for ESET to reply to...
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    First of all, disable scanning read emails as suggested before to see if it makes a difference.
     
  12. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Hi Marcos - I disabled that READ setting back on Feb 2nd after my customer's network performance was so severely impacted by NOD32's initial scanning of all emails. I was so concerned about how much it impacted my first NOD32 customer that I disabled the following settings later that same day:

    Email filter->Setup:
    - Scan received messages: No
    - Scan sent message: No
    - Scan read messages: No

    Email client->Setup:
    - Integrate into Microsoft Outlook: No


    I then had customer restart Outlook on all their PCs and the problem was resolved.


    BUT, IF YOU READ THRU ALL MY POSTS IN THIS THREAD, you'll see that I was asking why OLD EMAILS were being scanned by NOD32 (and sent to ESET for analysis) and placed in the INFECTED ITEMS folder? I am talking about the initial behavior of NOD32 and its Outlook plug-in *before* I disabled all the settings listed above.

    Back on 2/7 you said "After installation of EAV/ESS, Outlook goes through all messages in Inbox and, for the purpose of optimization and avoiding scanning of existing messages, adds a special property to each of the message. ESET does not scan the messages at all."

    I believe you are incorrect, as I saw plenty of signs that OLD EMAILS were being scanned, such as alerts displaying on user's screens as NOD32 detected infected emails. I thought you were going to ask the developers to clarify EXACTLY what happens when Outlook and your NOD32 plug-in run for the very first time after NOD32 is deployed.

    I sense you are overwhelmed in answering all the posts in this forum (maybe you need more staff?). I believe if you took more time to thoroughly read and respond to our posts, questions would be resolved much sooner. I am sure you are doing your best, but as a newbie I feel it is important for me to give you honest feedback. So far, support in this forum has been very disappointing, with delays of days or weeks waiting for some answers. I hope your company provides you with the additional resources you obviously need. Feel free for you or ESET to call me to discuss my experiences using this forum. I can be reached at 973-236-1100.

    Sincerely,

    -Mike Reed
    CompuSolve

     
  13. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    And let me emphasize: I am trying to learn from this problem so that it never happens to another customer of mine! That is why i am asking for detailed explanations as to how your product works. I have solved the problem for the moment by disabling all the email policy settings listed in my last post. But, i would like to be able to use email protection in the future (without crippling customer's network)...

    And, as i have said since day 1 of using your product, the lack of documentation on all the policy settings make it near impossible for newbies to intelligently create their polices. Oddly, you never seem to reply to this criticism o_O Why not at least tell us when better documentation will be released?
     
    Last edited by a moderator: Mar 5, 2012
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    It's hardly to believe this. One of the add-ins locations is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins but a complete list of add-ons can be created using a logging version of one of our dlls. If you are interested in narrowing it down to a particular add-on that triggers scanning on message read, I can provide it to you.

    Already answered before: after installation, MS Outlook adds a special property to each message in Inbox. This operation does not trigger scanning at all.
    However, some add-ons may evaluate this operation as message modification and invoke scanning on read. Therefore we'd need to get a complete list of installed add-ons which would shed more light.
     
  15. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    If some other add-on was doing the scanning, why would it display a popup message that it is "sending to ESET for analysis"? The fact that I saw those pop up messages/alerts, and the fact that some OLD messages ended up in the Infected Items folder (which is created by ESET, not other vendors' add-ons) tells me it was ESET's NOD32 software that was doing the scan.

    Perhaps you can get me in touch with a senior developer or support person to talk about this issue in more depth? Even though I have disabled all the email policy settings, there still is plenty of "evidence" that I can show to your them which seems to suggest NOD32 does scan OLD emails after its initial deployment...

     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    This is what happened:
    - ESET was installed
    - Outlook added a special property to each of the messages in Inbox for performance optimization
    - another plug-in evaluated this operation as message modification and accessed each of the messages which subsequently invoked scanning on read by the ESET's plug-in
    - during the scan, infected messages were detected, you received an alert and the messages were moved to the "Infected items" folder
     
  17. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    I don't see any signs of another AV vendor's Outlook add-in. Below is a screen shot of one PC's registry that I actually saw the ESET alerts popup after initial deployment of NOD32 on 2/2.

    Sure, if you have some tool that finds hidden Outlook add-ins, please provide me with a download link and instructions.

    http://file:///c:/temp/temp2.jpg

    I guess the "insert picture" tool does not accept the above format? How do you insert a picture in this forum? Other forums I have used accept local image files entered as links using the format "file:///<path\file.ext>".

    I will add as an attachment for now since I can't figure out how to insert image inline. Never mind - I see that .jpg attachments display inline...
     

    Attached Files:

  18. Lambert77655

    Lambert77655 Registered Member

    Joined:
    Mar 6, 2012
    Posts:
    2
    I guess others are simply disabling the Outlook integration? Otherwise, how do they handle say 50 or 100 users after initial NOD32 deployment, let alone more than that?
     
  19. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Being new to ESET, I wish I knew the answer. Seems like very few Business Edition users participate in these forums. Sure would be nice to hear from some that have used it for years.

    Since my disastrous deployment of NOD32 for my first customer I have disabled everything related to email scanning and Outlook integration. I am hoping to learn from this problem, get a better understanding of how/why this happened, and learn what policy settings need to be changed to avoid it happening on future deployments. I have complained endlessly to ESET that they need to document ALL the policy settings as well as provide some sort of "Getting Started" guide that would explain a lot of these nuances.

    ESET just doesn't seem to "get it": they should realize that Business Ed. users are responsible for administering hundreds to thousands of machines that use their software. So it is imperative that they provide thorough documentation as to how their product and policy settings work. ESET seems to be more of the mindset that we should just experiment with all the hundreds of undocumented policy settings until we find a combination that seems to work for us. I much prefer to be PROACTIVE and have a complete understanding of all their policy settings before I deploy their software.

    But, for some reason ESET believes that it's just too much work to document all the policy settingso_O Yet they spent the time to develop the settings:eek: They document a few of the settings in the NOD32 client software's help file, but the few settings that are documented are located in completely different branches of their policy trees (compared to the policy locations in ERAC). This makes it next to impossible to used ERAC's Policy Config tool to review and configure initial policies.

     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    The 2 add-ins shown in the screen shot above may not be all that are installed. In order to find out if this is the add-on that triggers scanning on read during the process of adding a new property to messages in Inbox, set the LoadBehavior value under the OutlookChangeNotifier.Connect key (Itunes add-on) to 0 and restart MS Outlook prior to installing ESET for the first time.
     
  21. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    It happened on other machines that do not have that add-in, so I think we can rule that iTunes add-in out.
    Also - the description of that add-in, "detects changes to CONTACTS and CALENDARS", seems to imply that email is not involved.

    You said you have some sort of tool that will list ALL add-ins. Can you share that with me?
     
  22. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    We deployed to about 200 computers, all using Outlook with no problems. We did not see any network issues and about 60 of the computers are on slow WAN links.

    As for the documentation, I agree, it definitely could be better. But honestly, I think it's taken me longer to read through your posts complaining about the documentation than it did to learn how the ERAC Policies work. If you are having trouble with ERAC, then make all your changes in the NOD32 client GUI where things are broken down a little easier, export the configuration file and import it into ERAC. You can then get a feel for where things are.
     
  23. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Rockshox - There are probably other unique factors, such as mailbox size, that determine whether you "feel the pain" when Outlook first runs after initial deployment of NOD32. Plus, did you have Outlook integration, and all the other undocumented email policy settings at their default values?

    I'm glad you had no issues (that your customers alerted you to), but my customer was very inconvenienced. And there was at least one other person on this forum that commented "yeah, it will run slow for the first day". So this is a known occurrence, albeit supposedly rare. Or maybe it's just under-reported...

    Using the different formatted help file (in client side) can be helpful, but it's a PITA to match the settings in ERAC to the client. Plus, how are newbies supposed to know this? IMO, ESET needs to do their homework and provide thorough docs to us admins. They are being very LAZY :mad:

    As far as the number and length of my posts - "the squeaky wheel gets the oil" :)

     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.