PST file misery magnified after removal of traffic-level e-mail scanning from FSCS / FSPSB.

etomcatetomcat Posts: 1,318 Superuser

Dear Sirs,

 

Considering that NDIS-level e-mail flow scanning has been removed from FSAV PSB Computer Protection and FSAVCS 13, I think it would be important to add intra-PST file  disinfection and deletion capability to F-Secure endpoint products, in addition to the already existing detection-only capability.

 

Previously we could argue that incoming-outgoing SMTP/POP3/IMAP level message scanning protects the e-mail client from storing infected attachments or otherwise mailicious messages in its mail-folder file.

 

With that capability now gone, we cannot demand reasonably any more that users conduct fully manual sorting and deletion of detected-only threat messages in multiple gigabyte sized Outlook PST files, for example. Therefore, some technological development is needed for a proper  solution.

 

Thanks for your kind attention, Sincerely:
Tamas Feher, Hungary.

Best Answer

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser
    Accepted Answer

    Hi,
    if you have been using outlook to access your external mailbox you have not been scanning the traffic since quite a long time already, because FS can not filter any encrypted traffic (TLS, SSL).

     

    If connected to an Exchange Box, the protection should be there (the PST is not complete anyway)

    Additionally Outlook has pretty much changed too and today no attachement gets executed without it beeing locally stored to the local drive.

    So yes, you might have some malware inside a PST, but you can not start it. But you can scan the PST and get a list of infected mails as far as a signature based scan is able to detect those at all.

    In the case the mail itself would exploit outlook, Deepguard should be able to identify that weird behaviour of Outlook and kill the task.

     

    While I think Users are still pretty well protected, the question is: could FS do better?

    I think "no", because manipulation of a PST is a delicate task. From outside is more or less impossible without the danger of loss.  Scanning from inside would require a trusted agent/plugin in Outlook which is running as and controlled by an untrusted user task (outlook).

     

    M.

    VadetomcatUkkoLaksh
This discussion has been closed.