Mail Scans for Secure Ports?

I tried changing the basic ports (from 110 and 25) to the SSL mail ports (995 and 465) and basically mail stopped working in or out.  Im using Thunderbird 3 with hotmail accounts.  Does F-Secure support this or do I have the spam filter incorrectly configured?  Thanks!

Comments

  • MJ-perComp
    MJ-perComp Posts: 432 Superuser

    Hi,

     

    no, only plain IMAP POP and SMTP are supported as F-Secure is filtering on port level. Just turn ES off.

     

    Filtering on SSL-Level would require to either break email security (like a man-in-the-middle attack) to get access to the mail (which you would not like) or a different agent inside the mail-programm, that would allow checking the mails AFTER they have been decrypted and stored in the mailbox file (MBX)

     

    As these agents would not only differ between different programs but also between different versions it is very difficult to maintain those.

     

    Nevertheless the future is open and maybe we see am agent for the main mail-programms.

     

    BR

  • jibe
    jibe Posts: 2

    It's an honest, but disturbing answer. Have the other antiviruses the same limitation?

     

    If F-Secure says to me that I am protected, while my emails are not scanned, I always have to believe it ?

  • MJ-perComp
    MJ-perComp Posts: 432 Superuser

    Hi,

    yes, basically ALL vendors have the same problem. Detecting malware inside an encryted stream is not possible in general (unless you do a kind of man-in-the middle-attack).

     

    Some mail programs have an interface (like thunderbird) that you can use to call an antivirus whenever you touch an attachment. But they just store the file on the HDD and scan it using commandline parameters. With realtime scanning active this is already done in the moment the attachement is stored on the HDD automatically. So, yes, F-Secure protects you from regardless of the e-mail client and protocol you use. Not while you receive but when you start reading it. In any case this is early enough to protect you from any unwantanted activity. You would not want to sacrifice encryption for beeing able to detect in-stream!

     

    Unfortunately the F-Secure SPAM markers also get set "in-stream", so that is a functionality that you loose. OTOH your ISP should be able to detect SPAM and there are lots of Anti-Spam plugins for mailclients available that do a good job.

     

    Hoep this explains the situation.

  • jibe
    jibe Posts: 2

    Yes, thank you very much. That's put my mind at rest.

     

    Nevertheless, we have to activate the realtime scanning. Perhaps, it will be a good idea that, if realtime scanning is deactivated and email scanning is activated (with 995), F-Secure scan e-mail on HDD ?

     

    That is not a problem for me because I activate the realtime scanning, because F-Secure doesn't at all reduce performance of my computer.

     

    But some people could not activate the realtime scanning and be infected by an email while they believe that F-Secure protects them. I, for example, I would have been able not to realize the problem. I noticed it by looking, by chance, at the Statistics window (who did not, thus, indicate scanned e-mails).

     

  • Dick99999
    Dick99999 Posts: 5 Observer

    @MJ-perComp wrote:

    Hi,

    yes, basically ALL vendors have the same problem. Detecting malware inside an encryted stream is not possible in general (unless you do a kind of man-in-the middle-attack).

     

    Some mail programs have an interface (like thunderbird) that you can use to call an antivirus whenever you touch an attachment. But they just store the file on the HDD and scan it using commandline parameters. With realtime scanning active this is already done in the moment the attachement is stored on the HDD automatically. So, yes, F-Secure protects you from regardless of the e-mail client and protocol you use. Not while you receive but when you start reading it. In any case this is early enough to protect you from any unwantanted activity. You would not want to sacrifice encryption for beeing able to detect in-stream!

     

    Unfortunately the F-Secure SPAM markers also get set "in-stream", so that is a functionality that you loose. OTOH your ISP should be able to detect SPAM and there are lots of Anti-Spam plugins for mailclients available that do a good job.

     

    Hoep this explains the situation.


    Is there a contradiction? Or is realtime scanning working both on storing an attachment, and on start reading it?

  • MJ-perComp
    MJ-perComp Posts: 432 Superuser

    Hi,

    OAS is doing a sacn on save and certainly on read as well.

    Where do you see a contradiction?

     

    USE the EICAR-Test-Suite to understand the different way hos OAS is working.

     

    HTH

     

     

  • Dick99999
    Dick99999 Posts: 5 Observer
    Thanks for the quick reply. The contradiction I saw was in the words "not while you receive it but while you start reading...". I guess I interpreted receive as including storing it. Glad it checks too when storing it. It triggers another question, why would I use the email shield if the message? / attachment? Is checked anyway while storing it. I will check the test suite as soon as I have my laptop working again.
  • MJ-perComp
    MJ-perComp Posts: 432 Superuser

    Well "receiving" means the transfer from the server to you e-mail Client. POP3/SMTP (unencrypted) can be checked during transit. This gives an other hurdle to take for the malware.

    many e-mail clients store the mail in this transit format. To open an attachement it will be converted to local disk befor you can use e.g. Word with it. This is the point where OAS sees the file in the filesystem.

     

    some e-mail Clients would allow to forward the mail. In this case the "Transit"-format can be used. without SMTP scanning the mail leaves the system the same way as it arrived.

     

    Thunderbird allows automatic attachement checking. Use that with "fsav.exe" to force conversion and storing to local HDD.

     

    BR

This discussion has been closed.