I accept the benefits of scanning outgoing emails for viruses, even though if Norton is protecting a computer in other manners, it could be argued that scanning outgoing mail may be redundant.

However I have two problems with the manner in which outgoing email protection is implemented.  (This discussion refers to Norton AntiVirus 2011 and 2012.)

First problem:

Aside from viruses or worms, there are common situations when a non-infected outgoing email may be rejected by the outgoing (SMTP) mail server.  These may include:

- Emails that are larger than a maximum size allowed by the user's ISP;

- Exceeding an ISP's limit on number of emails that can be sent during a period of time;

- Suspected spam content;

- Etc.

From a user perspective, in such cases there are at least two differences in how the attempted transmission is treated, depending on whether or not Norton Email Protections is active.

The first difference is that without Norton protection, the error message informing the user of the failed email is typically received in the sending window of the user's email program.  But if Norton Email Protection is active, the email program shows a successfully sent email - the error is instead subsequently notified in a pop-up Norton message.

I understand why this happens, and how it is a function of Norton placing itself between the email program and the outside world.  Once Norton has scanned and sent the message, it will receive the error from the mail server, and then passes it on to the user.

While this can be confusing to some untrained users, who at first may believe that they are witnessing a Norton threat warning rather than an ISP issue, it is not my concern here.  Of greater concern is the second difference...

With email clients such as Windows Mail or Outlook Express, the "Sent Items" folder contains emails that have been successfully sent, while the "Outbox" folder contains emails that have either not yet been sent, or that have failed to be sent.

In cases of rejection of non-infected outgoing emails (such as in the examples above), when Norton email protection is NOT active, the failed email correctly remains in the "Outbox" folder.  However if Norton (outgoing) email protection IS active, the failed email lands in the "Sent Items" folder instead!

I can also speculate as to why this occurs given how Norton's email protection is implemented.  However I have seen this cause many user problems and confusion when their email program shows a failed message as having been successfully sent.  It also creates issues if any other user subsequently inspects email folders on a computer where Norton has previously masked (hidden) the failure from the email program.  (And ironically, this mis-filing of emails that do not contain any threats is being caused by an anti-virus program.)

I imagine that some will justify this as being not a bug, but a "characteristic" of the way in which email protection works.  No argument, but I would suggest that there may be a better way of protecting the user that does not include leaving false or inaccurate information in their email program.

Comments?

Second problem:

Because of the just-described issue, or for other reasons, users may want or need to turn OFF the scanning of outgoing email messages.  Norton allows this, but with a heavy unexpected and arguably unnecessary penalty.

If I turn this setting off for a user, the user has to put up with a permanent red warning on the Norton tray icon, warnings about Insecure System Status, and a constant encouragement to "Fix Now".  Apart from being a nuisance, this means that my conscious turning off of an unwanted setting deprives me or the user from having those same indicators warn me of a REAL problem.

---

ManFromOz wrote:

If I turn this setting off for a user, the user has to put up with a permanent red warning on the Norton tray icon, warnings about Insecure System Status, and a constant encouragement to "Fix Now".  Apart from being a nuisance, this means that my conscious turning off of an unwanted setting deprives me or the user from having those same indicators warn me of a REAL problem.

---

You can turn off monitoring of the email scan setting so that you will not get the alerts and "Fix Now" warnings.  In the 2011 and 2012 product versions, hover your mouse cursor over the words "Email Protection" on the main Norton window ("Advanced" screen in 2012).  In the popup that results, click "Ignore."  This will configure Norton to ignore the On/Off status of the email scanning feature.  You will get a gray icon next to the setting to indicate that it is no longer being monitored.

Thank you SendOfJive.  I was not aware of that feature, and it may be helpful in future for some situations.

However, it only resolves my "Second problem" if the user is prepared to do without INCOMING email protection as well.  It's not too uncommon to want to turn off OUTGOING protection only, while retaining Incoming protection.  The disabling of "Scan outgoing email messages" (in a Settings submenu) does not appear to offer a workaround such as the one you've described.

Hi ManFromOz,

I'm not sure I understand your latest post.  The "Ignore" and "Monitor" options only pertain to whether Norton alerts you to the On/Off status of email scanning.  The Email Protection settings themselves are independent of this and in Norton Settings > Network > Message Protection you can configure the Email Antivirus Scan to do scanning of either Incoming, Outgoing or both.  So, if I understand what you want to do correctly - enable incoming email scanning, disable outgoing email scanning, and disable alerts about the email protection health status - that is very doable.

Many thanks, SendOfJive, and apologies. I misunderstood your original explanation on the effect of the Ignore/Monitor switch.

I assumed, incorrectly it seems, that turning off the "monitoring" of Email Protection was equivalent to turning off Email Protection. And that the difference between "Ignore" and moving the slider to the right was only that the former would prevent the alerts while the latter would not.

As I now understand it, the "Ignore" setting will NOT turn off or affect Email Protection, but merely suppresses any alerts if Email Protection (or any part of) is turned off.

If that is the case, it's a more useful feature than what I had realized, and indeed in this case it would allow me to turn off the scanning of ougoing emails without that "penalty" that I had complained about in my original post.

That solves (or invalidates) my "Second problem".

Now if only I could find a solution to the original "First problem", I would have happier users. Unless and until that happens, I think that there are many cases where we will need to disable outgoing email scanning (while using the "Ignore" switch).

Another reason why this outgoing scanning can be problematic is that in the event of a server rejection, the mail server's rejection message (now displayed by Norton) is delayed beyond the point in time when the user (falsely) believes that the email has been sent. I understand and accept why this delay occurs, but its effect is that the Norton popup can actually come up after the user has closed the email program and gone on to something else. This makes it even easier for some users to fail to relate the warning to the previously-sent email, which the email program shows as having been successfully sent. (Yes, forum readers may know better, but we may not be "average" users.)

I'm also thinking that there may be a small risk involved in using the "Ignore" workaround. While it may achieve the purpose that I originally posed, I imagine that if some malfunction or malware were to interfere with or disable, say, INCOMING mail scanning (which is a greater concern to most users), then the user would not know that this has happened unless and until some other form of protection raises the alarm. That's something we may opt to live with, but the cleaner and more effective solution would be if outgoing scans could be performed without having the email program report success and show the email as a "Sent Item" even in the event of failure.

If that's too hard in the short term, perhaps an interim alternative would be to remove outgoing scanning from the subset of functions that, if turned off, cause "Insecure" alerts?

Thanks again.

---

ManFromOz wrote:

As I now understand it, the "Ignore" setting will NOT turn off or affect Email Protection, but merely suppresses any alerts if Email Protection (or any part of) is turned off.

---

Yes, that is correct.

As to Outgoing Email Scanning - it is completely unnecessary.  In the first place, if your machine had a virus that was sending itself out in emails, Auto-Protect should detect it and remove it.  Moreover, if Auto-Protect could not detect it, neither could the email scan.  Secondly, the feature only protects the email recipients, whom we would hope and assume are smart enough to have a security program installed, and to check before opening any unexpected attachments from anyone.  It's nice that we pre-check their email messages for them, but it isn't something that should need to be done today, as most users are well aware of the dangers that can arrive via email, and most do take suitable precautions.  In the vast scheme of things, it is very unlikely that any recipient is ever going to be infected by an email that you send, so Outgoing Email Scanning really offers protection to others against a very low probability risk.

I remember years ago thinking along the same lines when I was introduced to outgoing email scanning. However it occurred to me that a similar argument could be applied to incoming scanning - Why waste resources doing that if Auto-Protect would detect a threat anyway? (Perhaps not as quickly, but presumably before any damage was done.)

But that logic extended to other forms of protection. For example, doesn't Auto-Protect make drive scanning redundant?  And the list goes on.

I briefly wondered whether all these "extras" were anything more than products of the "features war" between security software companies. But being too busy or lazy to explore situations where they could be important, I opted for accepting them, while assuming that maybe I should trust that the programmers or designers had better in-depth knowledge, and reasons (other than marketing) that I was not aware of.

Perhaps not?  In any case, given that this discussion's "feature" causes other problems, you've helped convince me that I'm going to disable outgoing scanning on all PCs that I am involved with.

---

ManFromOz wrote:

I remember years ago thinking along the same lines when I was introduced to outgoing email scanning. However it occurred to me that a similar argument could be applied to incoming scanning - Why waste resources doing that if Auto-Protect would detect a threat anyway? (Perhaps not as quickly, but presumably before any damage was done.)

---

Well, I wasn't going to say anything, but....    Actually you are correct that Incoming Email Scanning, while not as superfluous as Outgoing Scanning, is also something that you can jettison with no ill effects, and for exactly the reason you mention - Auto-Protect.  Any attachment that you open is going to be checked by Auto-Protect on access anyway, so there is no lessening of your protection when Incoming Email Scanning is turned off.  The Incoming Scans only block the threat earlier in the process, before it gets stored on your hard drive.  There is one advantage to this:  In some email clients there is a risk that an AV program might corrupt your inbox or put it in quarantine if a virus is detected in one of the stored messages.  So in those situations you might want to retain Incoming Email Scanning, but from a strict security standpoint you can do without just fine.  And again, if Auto-Protect does not have a signature to recognize and remove the threat, the Incoming Scan will not be able to block it either.  See the following for an interesting discussion of Email Scanning:

http://kb.mozillazine.org/Email_scanning_-_pros_and_cons

As for virus scans of the hard drive, they are still necessary in order to check for new malware that may have installed prior to the release of specific detection signatures that would have enabled Auto-Protect to recognize and block the threat at the time of infection.  But even here, the lengthy full system scans of the past are now scheduled by default in NIS 2012 to run only once a month.  One or more Idle Time Quick Scans per day, which take only a few minutes to look for active threats that are actually running, or could run, are now the main tool to spot any malware that might have sneaked in.  So, in a sense, the large full system scans that used to be so critical are now becoming increasingly unnecessary as newer methods of detecting viable threats take their place.

Hello

Please also remember that email scanning occurs mainly only with the standard ports of 25 and 110.  The 2012 does give you the option to add other ports that are required by your ISP, but it wouldn't allow me to add the port which my ISP requires. So for many people, email scanning really can't be done.. as the standard ports of 25 and 110 are not really standard for many people.any more.

Thank you, gentlemen.  Interesting observations.  And interesting mozillazine article.

Point taken about less frequent scheduled full scans.  But without wanting to further fuel a discussion that was not the prime intent of this thread, can't we extend the same argument to suggest that even monthly scans are unnecessary?  Or even idle time quick scans?  Yes, malware may be installed prior to the release of relevant signatures, but even then, won't Auto-Protect eventually catch it?

Without claiming to be able to justify it, for some time my modus operandi has included:

(a) Accepting idle time quick scans in the belief (hope?) that they won't affect performance;

(b) Disabling periodic/scheduled full scans;

(c) Occasionally running a manual full scan if I have reason to believe that something may be amiss;

(d) Accepting incoming email scanning partly for same reasons as (a), and partly because I have a perverse wish to find out earlier, rather than later, who may have sent me an infection.

To this I have now added the disabling of outgoing email scanning, for reasons discussed here earlier.

It has been an interesting and enlightening discussion, for which I'm grateful as I now try to gracefully take my leave.  Perhaps it may have also served to inform some readers of the potential misinformation given by their email programs when outgoing email scanning is active.

---

ManFromOz wrote:

...can't we extend the same argument to suggest that even monthly scans are unnecessary?  Or even idle time quick scans?

---

There are some who have suggested that it is no longer absolutely necessary to schedule full system scans to run at specific intervals, and I think that is probably true.  Like email scanning, the scheduled full system scan may be a vestigial function that is retained, at least in part, because users expect it to be there.  The Quick Scan, which runs immediately after a virus definitions update, serves a more immediate purpose of specifically looking for new threats as soon as Norton has the ability to find them.  You are right though, and others have also pointed out, that Auto-Protect will also catch the malware in the act using the same updated signatures.  Whether you consider them essential or not, as long as the Quick Scans run during idle time without interrupting anything that the user is doing, they are probably a good insurance measure, and worth running.