Video Screencast Help

Internet e-mail is not scanned on its arrival

Created: 11 Sep 2012 • Updated: 11 Sep 2012 | 10 comments

Hi every one,

In my environment I'm using SEP 11.0.7 with SEPM.

Few weeks ago I started to receive ocasionaly e-mails with virus attachment (always from partners addres, so I can't just block it)on my desktops. I'm warried why my Symantec doesn't detect the virus on the e-mail arrival. I'm using MS Outlook with POP3 (TCP 110) to receive mail. I have Antivirus and Antispyware policy configured for Internet E-mail Auto-protect and assigned to computers.

Can anyone suggest what am I missing (or is it just a 0 day virus? Every time?)

Comments 10 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Internet Email Auto-Protect protects both incoming email messages and outgoing email messages that use the POP3 or SMTP communications protocol over the Secure Sockets Layer (SSL). When Internet Email Auto-Protect is enabled, the client software scans both the body text of the email and any attachments that are included.

You can enable Auto-Protect to support the handling of encrypted email over POP3 and SMTP connections. Auto-Protect detects the secure connections and does not scan the encrypted messages. Even if Internet Email Auto-Protect does not scan encrypted messages, it continues to protect computers from viruses and security risks in attachments.

Email attachments are frequently the culprits in virus attacks. To protect yourself from viruses transmitted through email attachments:

  • Don't open any attachment you were not expecting, even if it comes from a trusted source, such as a family member, co-worker, or friend.
  • If you do not know the sender of a message that includes an attachment, delete the message without reading it.
  • Do not open any attached file ending in .exe, .vbs, or .lnk.
  • Never open an attachment without verifying that it's virus free. To open an attachment, first save it to your hard drive and then scan it with antivirus software, such as Symantec Endpoint Protection.

Incase of Suspicion, it is recommended to submit the Attachment to the Symantec Security Response Team on https://submit.symantec.com/essential

OR

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

GoranVuic's picture

Hy Mithun,

Unfortunately, this doesn’t help me. All that you described I am aware of. Also I think that my entire configuration is correct, but I still have virus undetected from time to time arrived in mail. All my clients have current virus definitions. Detection of viruses is successful if it comes on CD/DVD, USB or network. The problem is only e-mail. My Outlook clients are configured to use standard ports (110 and 25) with no encryption.

Handling emails with attachments is part of company security policy, but, as I said before, most of that infected mails comes from well-known partner (booking.com) and my users trusts them. After few incidents we expand our “security policy” and educated users not to open mails from that partner, but it still doesn’t solve the major problem: “How the virus can come in an email attachment undetected?”

Please give me a hint what to check (I checked all what I was aware of)!.

Mithun Sanghavi's picture

Hello,

Symantec Endpoint Protection would detect the Threat only if the Attachment is opened.

However, incase if you feel, there is a Virus on the email attachment and Symantec is not detecting it, then save the attachment on the hard drive and submit the Attachment to the Symantec Security Response Team as suggested above.

Hope that helps!!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

GoranVuic's picture

Thanks Mithun,

I thought that email is scanned oh its arrival (complete email including attachment). Shouldn’t  it “react” on attachment saving (or just opening)?

 

sandra.g's picture

I'm using MS Outlook with POP3 (TCP 110) to receive mail. I have Antivirus and Antispyware policy configured for Internet E-mail Auto-protect and assigned to computers.

I'm not saying this is the cause, but is there some reason you're not using the Outlook scanner?

According to "About Auto-Protect and email scanning" (link is below), email scanning is not available for 64-bit clients for 11.x. It also says:

For scans of Lotus Notes and Microsoft Exchange email, Auto-Protect scans only the attachments that are associated with email.

For Internet email scanning of the messages that use the POP3 or SMTP protocols, Auto-Protect scans the following items:

  • The body of the message
  • Any attachments to the message

See the following:

About Auto-Protect and email scanning
http://www.symantec.com/docs/TECH95093

You may want to consider Mail Security for Microsoft Exchange.

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

GoranVuic's picture

Hi Sandra,

Thanks for the link.

Unfortunately I don’t have Exchange server (jet). I'm planning to implement it in a near future, but right now, I don't have it. I’ll implement Mail Security for Microsoft Exchange as soon as I implement MS Exchange. I have configured MS Outlook Auto-Protect, but it has sense only if I'm using Outlook with Exchange – because of different ports (If I'm not wrong?).

sandra.g's picture

If your Outlook is using POP then the Internet Email scanner should work, and should scan attachments. Are the affected machines running 64-bit operating systems? 

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Mithun Sanghavi's picture

Hello,

I agree with Sandra. Incase, if these are 64 Bit Systems then Microsoft Exchange and POP3/SMTP email scanning are not compatible.

Check this Article: 

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform

http://www.symantec.com/docs/TECH102143

However, these features are supported in the SEP 12.1 Release.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mick2009's picture

Hi Goran,

If possible, upgrade to SEP 12.1.  The Outlook plug-in in that version is 64-bit compatable with many versions of Outlook.  Details are in the following article:

Symantec Endpoint Protection 12.1 Outlook Email Plug-in fails to load for Microsoft Outlook (64-bit installation)
Article:TECH177144   |  Created: 2011-12-16   |  Updated: 2012-02-09   | 
Article URL http://www.symantec.com/docs/TECH177144 
 

Hope this helps!

With thanks and best regards,

Mick

Beppe's picture

Hi,

are you using SSL? From the help in the SEP client:

Internet Email Auto-Protect

Scans internet email (POP3 or SMTP) and attachments for viruses and security risks; also performs outbound email heuristics scanning.

By default, Internet Email Auto-Protect supports encrypted passwords and email over POP3 and SMTP connections. If you use POP3 or SMTP with Secure Sockets Layer (SSL), then the client detects secure connections but does not scan encrypted messages.

Note:

For performance reasons, Internet Email Auto-Protect for POP3 is not supported on server operating systems. Internet email scanning also is not supported for 64-bit computers.

Email scanning does not support IMAP, AOL, or HTTP-based email such as Hotmail or Yahoo! Mail.

Microsoft Outlook Auto-Protect

Scans Microsoft Outlook email (MAPI and Internet) and attachments for viruses and security risks

Supported for Microsoft Outlook 98/2000/2002/2003/2007/2010 (MAPI and Internet)

If Microsoft Outlook is already installed on the computer when you perform a client software installation, the client software detects the email application. The client automatically installs Microsoft Outlook Auto-Protect.

If you use Microsoft Outlook over MAPI or Microsoft Exchange client and you have Auto-Protect enabled for email, attachments are immediately downloaded. The attachments are scanned when you open the attachment. If you download a large attachment over a slow connection, mail performance is affected. You may want to disable this feature if you regularly receive large attachments.

Note:

On a Microsoft Exchange server, you should not install Microsoft Outlook Auto-Protect.

 

Regards,

Giuseppe