PST file misery magnified after removal of traffic-level e-mail scanning from FSCS / FSPSB.

Dear Sirs,

Considering that NDIS-level e-mail flow scanning has been removed from FSAV PSB Computer Protection and FSAVCS 13, I think it would be important to add intra-PST file disinfection and deletion capability to F-Secure endpoint products, in addition to the already existing detection-only capability.

Previously we could argue that incoming-outgoing SMTP/POP3/IMAP level message scanning protects the e-mail client from storing infected attachments or otherwise mailicious messages in its mail-folder file.

With that capability now gone, we cannot demand reasonably any more that users conduct fully manual sorting and deletion of detected-only threat messages in multiple gigabyte sized Outlook PST files, for example. Therefore, some technological development is needed for a proper solution.

Thanks for your kind attention, Sincerely:
Tamas Feher, Hungary.

Find more posts tagged with

Comments

MJ-perComp

Hi,
if you have been using outlook to access your external mailbox you have not been scanning the traffic since quite a long time already, because FS can not filter any encrypted traffic (TLS, SSL).

If connected to an Exchange Box, the protection should be there (the PST is not complete anyway)

Additionally Outlook has pretty much changed too and today no attachement gets executed without it beeing locally stored to the local drive.

So yes, you might have some malware inside a PST, but you can not start it. But you can scan the PST and get a list of infected mails as far as a signature based scan is able to detect those at all.

In the case the mail itself would exploit outlook, Deepguard should be able to identify that weird behaviour of Outlook and kill the task.

While I think Users are still pretty well protected, the question is: could FS do better?

I think "no", because manipulation of a PST is a delicate task. From outside is more or less impossible without the danger of loss. Scanning from inside would require a trusted agent/plugin in Outlook which is running as and controlled by an untrusted user task (outlook).