Kudos0

Virus found - NAV gives confusing information

OS X 10.6.2

NAV Version: 11.1.1 (2)

SymIPS Version: 1.3.1f6

I get a popup window - Title Bar is Norton Antivirus - with a message that states "1 infected files were repaired". This happens when I move an email, with an attachment, in Entourage 2008, from one folder to another. The attachment has neot been removed, and whenever I move the file around, I get the same NAV message.

There are some issues that I have:

  1. Why wasn't the infected attacment removed?
  2. Why can't I find the name of the virus that is in the attachment?
  3. When I view the log, there is a message stating that the virus was fully repaired. This doesn't seem to be an accurate message because the attachment is still "attached", and there is no file when I open the quarantine file (using the TOOLS, QUARANINE menu).

Thanks!

Replies

Kudos0

Re: Virus found - NAV gives confusing information

OS X 10.6.2

NAV Version: 11.1.1 (2)

SymIPS Version: 1.3.1f6

I get a popup window - Title Bar is Norton Antivirus - with a message that states "1 infected files were repaired". This happens when I move an email, with an attachment, in Entourage 2008, from one folder to another. The attachment has neot been removed, and whenever I move the file around, I get the same NAV message.

There are some issues that I have:

  1. Why wasn't the infected attacment removed?
  2. Why can't I find the name of the virus that is in the attachment?
  3. When I view the log, there is a message stating that the virus was fully repaired. This doesn't seem to be an accurate message because the attachment is still "attached", and there is no file when I open the quarantine file (using the TOOLS, QUARANINE menu).

Thanks!

Kudos0

Re: Virus found - NAV gives confusing information

The issue is that email attachments can't be removed by NAV from within Entourage, due to the way they are stored.  You'll need to delete the attachment from the email manually.  However, as an attachment the virus is not a threat unless it is saved to disk, which is when you are seeing the alert (and it is apparently being successfully repaired on disk).

I was trying to reproduce the issue you're seeing when moving the email between folders, so far w/o success.  For one thing, I think my mail servers are stopping even dummy virus attachments from coming through, since I don't receive my own messages.  But even if I move the "Sent" items to other folders, the attachments aren't detected.  A couple questions:

1.  Is the mail account in question POP or IMAP?

2. When you look at the NAV log, does it give the file path (under "Details")?  If so, what is that path?

Thanks,

Lee

Kudos0

Re: Virus found - NAV gives confusing information

Hi Lee,

This is a POP account. Actually all of my accounts in Entourage are POP accounts.

I can forward you the email to see if it gets past the server scan. I can also attempt to ZIP the attachment, change the extension, and send it to you for further analysis.

In my first post I forgot to mention that I also get another notification window titled "Norton Notification". It states that the file was fully repaired. As point of interest, the contents of this window are in black & white.

The path is: . ~/Library/Caches/Metadata/Microsoft/Entourage/2008/Main Identity/Attachments/85936 and the file name is UPS_invoice_NR590167

"~" = my home folder

This situation is very strange for me because using Outlook (WIndows), and NIS, or NAV, the file attachment can be deleted by that antivirus code. I know both Entourage and Outlook use database files. Is the reason that NAV can delete an attachment in Outlook because MS allowss more functionality, to developers, for Outlook?

One of my remaining questions is how do I identify what virus it is?

Thanks!

Anthony

Kudos0

Re: Virus found - NAV gives confusing information

I think I should be able to reproduce the issue without getting your sample (I did try zipping, which is not sufficient).  If not I can let you know.  Thanks for the info that it's POP, that will make it a little easier in my setup.

The second notification window is normal in this case.  The name of the virus should appear in the first alert.  It seems to me it should also appear in the log, but I don't see that in my test case either, so I need to follow up on that.

I'm not as familiar with the Windows AV product, but it is possible as you suggest, that there is a better API to allow this kind of repair in Outlook.  If you're still curious, I can ask about that.

-- Lee

Kudos0

Re: Virus found - NAV gives confusing information

I believe I found why you are getting the alerts when using Entourage.  There is a preference in Entourage under General Preferences:Spotlight which reads:

Include attachments in Spotlight search results (uses more disk space)

If this is checked, attachments are apparently saved to the Metadata folder, at least long enough for Spotlight to index them.  So you can avoid the alerts by disabling this option, though I suppose it helps to tell you if you have any infected attachments.  Unfortunately, the path info isn't very useful, because you can't tell from the folder name which email the attachment is associated with, though it does have the name of the attachment.

Kudos0

Re: Virus found - NAV gives confusing information

Lee,

For the record, I am glad that I am getting the notification. I hope I didn't imply anything else.

So if I understand this correctly, I wouldn't get the NAV notification, in Entourage, if I didn't have "Include attachments in Spotlight search results (uses more disk space)" enabled?

If the answer to the above is YES: When would I receive notification that this file is infected? When / if  I save the attachment to disk?

Regarding my original question: How do I know what virus this file contains? NAV makes no mention of that anywhere that I can find.

Edit: Answered the following below: I am getting the inpression that if I forward this email, with the attachment, that I may not get a NAV warning thus passing it on to another user. This would be bad. I will test this, and report back.

The answer is that I am allowed to forward the mail. NAV alerts me that the file has been repaired.

Thanks

Kudos0

Re: Virus found - NAV gives confusing information

Yes, that option is what causes the notification, at least in my testing.  Otherwise, as you said, only when the attachment is saved would an automatic scan take place.  There is a risk that you could pass along such an infection, if you never saved it explicitly (or found it due to the Spotlight option).  This is an area we are looking into improving, obviously it isn't ideal.

The name of the virus should be shown in the initial alert (NOT in the black & white notification, however).  If you save the attachment, you should see it (if not, let me know).  I'm going to recommend the virus name also be included in the log for the future.

Thanks for your inputs, this has been helpful.

Kudos0

Re: Virus found - NAV gives confusing information


Lee_G wrote:

I think I should be able to reproduce the issue without getting your sample (I did try zipping, which is not sufficient).  If not I can let you know.  Thanks for the info that it's POP, that will make it a little easier in my setup.

The second notification window is normal in this case.  The name of the virus should appear in the first alert.  It seems to me it should also appear in the log, but I don't see that in my test case either, so I need to follow up on that.

I'm not as familiar with the Windows AV product, but it is possible as you suggest, that there is a better API to allow this kind of repair in Outlook.  If you're still curious, I can ask about that.

-- Lee


If you would follow up on the Windows AV answer, I would appreciate it. I am somewhat surprised that Symantec has not found a way to actually delete the attachment?

As I mentioned in my previous post, the name of the virus can not be found anywhere. This troubles me, as I would like to know how serious the potential infection could be. Is this a bug?

I forwarded the email, using AT&T's server to a Gmail account. The Gmail servers bounced the message back with the message:

Remote host said: 552-5.7.0 Our system detected an illegal attachment on your message. Please visit http://mail.google.com/support/bin/answer.py?answer=6590 to
review our attachment guidelines.

A big question in all of this is how can I determine that the attachment has not actually infected my system? Would a scan be sufficient?

Kudos0

Re: Virus found - NAV gives confusing information

Interesting development: I just received the following message:

"Your AT&T Yahoo! Mail Virus Protection detected the virus 'Trojan.Bredolab' in the file 'UPS_invoice_NR590167', attached to the enclosed email message. We scanned the file using Norton AntiVirus but were unable to clean it. Therefore, we removed the content of the attachment from the message. Please contact the message sender if you want to receive the attachment. They must clean the file and resend it before we can deliver it to you safely.

AT&T Yahoo! Mail successfully cleans most infected attachments, which protects you from viruses."

...so apparently, AT&T scans only SMTP (outgoing messages), as the infected message was retrieved via an AT&T POP server.

Kudos0

Re: Virus found - NAV gives confusing information

I'll follow up about the Outlook support, and tell you what I can (some info may be proprietary).  Entourage stores email in a database format that is Microsoft-proprietary, which makes it difficult to manipulate.

I looked up Trojan.Bredolab, and it's a Windows trojan, so it shouldn't affect your Mac, but a scan of your drive should be able to clean any saved copies.  I'm not sure why the virus name is not appearing, it could be a defect.

Kudos0

Re: Virus found - NAV gives confusing information


Lee_G wrote:

I'll follow up about the Outlook support, and tell you what I can (some info may be proprietary).  Entourage stores email in a database format that is Microsoft-proprietary, which makes it difficult to manipulate.

I looked up Trojan.Bredolab, and it's a Windows trojan, so it shouldn't affect your Mac, but a scan of your drive should be able to clean any saved copies.  I'm not sure why the virus name is not appearing, it could be a defect.


I thought that both the Entourage and Outlook databases were proprietary. Maybe there are no public APIs for the Entourage database? Any info you can provide would be great. If this can be added to a future version of NAV for Macintosh that would be even greater ;)

I saved the file to my desktop, and NAV reported that it was infected. After the save, NAV gave me the same message message that the file was fixed. A manual scan of the file reports that the file is not longer infected. Do you think this manual scan result is accurate?

I also looked up the virus, and there were about four or five variants. Are all of these variants Windows only viruses?

When you say the virus name is not appearing, and that it could be a defect, are you referring to a bug in NAV?

Kudos0

Re: Virus found - NAV gives confusing information

I'll get back to you in the next day or 2 about the Outlook vs. Entourage issue.

The manual scan should be accurate.  I believe you were repairing the file successfully each time it was saved to the Metadata folder for Spotlight, but it was saved again each time it was moved within Entourage.

All the Trojan.Bredolab variants are in the same family of Windows Trojans, I don't see any indication of a Mac variant.

Since you aren't getting the virus name in the initial alert, I would consider that a bug in NAV.  I'll contact you privately if you want to try and send me a sample so I can try to reproduce that..

Kudos0

Re: Virus found - NAV gives confusing information

Regarding Outlook attachments, about all I can say is there is a different Symantec technology employed by the Windows scanner, which has not been ported to the Mac.  I can't really comment on if/when we might support it on Mac.

I don't know if you saw the private message I sent, but if you want to follow up on diagnosing the virus name issue, see that.  Also, I notice that if the infected file is in an archive, the virus name isn't shown on the first alert.  From the file path you mentioned earlier, it doesn't look like it was an archive, but it's hard to be sure without having the file.

-- Lee

Kudos0

Re: Virus found - NAV gives confusing information

Hi Lee,

Sorry for the delay in responding to the PM - I did read it, but didn't  have a chancet to follow up. I will do so this weekend.

Thanks for al the information, and I do hope that Symantec can code NAV for Mac to work more "intamately" with the Entourage database.

Thanks!

This thread is closed from further comment. Please visit the forum to start a new thread.