Endpoint Protection

I've SEP 12.1 RU2 with Outlook plugin (enabled in Outlook 2007 client and via policy).

I've received a .zip attachment that was not blocked by the plugin.

If I extract the content, SEP (not the plugin but the normal SEP) block the content (virus, autoprotect).

If I try to forward the message, newly no block.

The message with its viral content, starts.

I thought Outlook Plugin should block the attachment. Am I wrong?

Exchange server, if it's important to know.

Hello,

Internet Email Auto-Protect protects both incoming email messages and outgoing email messages that use the POP3 or SMTP communications protocol over the Secure Sockets Layer (SSL). When Internet Email Auto-Protect is enabled, the client software scans both the body text of the email and any attachments that are included.

About Auto-Protect and email scanning

http://www.symantec.com/docs/TECH95093

You can enable Auto-Protect to support the handling of encrypted email over POP3 and SMTP connections. Auto-Protect detects the secure connections and does not scan the encrypted messages. Even if Internet Email Auto-Protect does not scan encrypted messages, it continues to protect computers from viruses and security risks in attachments.

If you use Microsoft Outlook over MAPI or Microsoft Exchange client and you have Auto-Protect enabled for email, attachments are immediately downloaded. The attachments are scanned when you open the attachment. If you download a large attachment over a slow connection, mail performance is affected. You may want to disable this feature if you regularly receive large attachments.

Email attachments are frequently the culprits in virus attacks. To protect yourself from viruses transmitted through email attachments:

• Don't open any attachment you were not expecting, even if it comes from a trusted source, such as a family member, co-worker, or friend.
• If you do not know the sender of a message that includes an attachment, delete the message without reading it.
• Do not open any attached file ending in .exe, .vbs, or .lnk.
• Never open an attachment without verifying that it's virus free. To open an attachment, first save it to your hard drive and then scan it with antivirus software, such as Symantec Endpoint Protection.

Incase of Suspicion, it is recommended to submit the Attachment to the Symantec Security Response Team on https://submit.symantec.com/essential

The Exchange servers have nothing to with the Outlook mail scanning plugin. This is completely client-side. Your Exchange servers would have something like Mail Security for Microsoft Exchange scanning the server-side traffic.

OR

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

If my Outlook account is an Exchange Server account, SEP + Outlook plugin won't scan the attachment?

The scan process will take place only with, let me say, POP3/SMTP account?

In your post you talk about "Internet Email Auto-Protect".

I'm talkinf of Outlook component. I thought they had different behaviour.

Hello,

Microsoft Outlook Auto-Protect - 

Scans Microsoft Outlook email (MAPI and Internet) and attachments for viruses and security risks

If Microsoft Outlook is already installed on the computer when you perform a client software installation, the client software detects the email application. The client automatically installs Microsoft Outlook Auto-Protect.

If you use Microsoft Outlook over MAPI or Microsoft Exchange client and you have Auto-Protect enabled for email, attachments are immediately downloaded. The attachments are scanned when you open the attachment. If you download a large attachment over a slow connection, mail performance is affected. You may want to disable this feature if you regularly receive large attachments.

The Exchange servers have nothing to with the Outlook mail scanning plugin. This is completely client-side. Your Exchange servers would have something like Mail Security for Microsoft Exchange scanning the server-side traffic.

Hope that helps!!

Hi Mithun and thanks.

When the manual says:

Hello,

Correct. When the attachment file is opened for reading, the file gets installed on the client machine and that is when the File would be scanned.

Outlook Auto-Protect: Outlook Auto-Protect is a type of ongoing or background scan. This scan gives Outlook and Outlook Express users additional protection from threats sent by email. If you use Outlook or Outlook Express, it is recommended to have this enabled.

Auto-Protect does not scan the email that uses secure connections, it will continue to protect computers from risks in attachments. It scans email attachments when you save the attachment to the hard drive.

www.symantec.com/business/support/index?page=content&id=TECH94990

I would recommend you to Install the Symantec Mail Security for Microsoft Exchange to scan the Attachments at the server side.

Check these Threads with similar query:

https://www-secure.symantec.com/connect/forums/outlook-scanning-questions

https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-outlook-auto-protection

https://www-secure.symantec.com/connect/forums/what-advantage-there-outlook-auto-protect-sep-vs-file-system-auto-protect

Hope that helps!!

Ok, understood.

But:

• I receive .zip as attachment. No scan take place because of Exchange Server in place. Ok.
• I open the .zip and the content is a .exe files. I see the content. But nothing happens
• If I try to extract the content, infection is detected and blocked. But this action is performed from normal AutoProtect because of realtime scan... I don't understand the value added by the Outlook plugin in this case (I repeat. .exe infected file inside .zip file).

Its the same. It will only detect if extracted. Ideally you should not be using outlook plug in if you already have Symantec mail security.

More info from Symantec site

SEP 11.X Outlook plug-in is only supported on 32 bit versions of the operating systems even with the earlier versions of Outlook. 

Alternately, do not use this optional mail plug-in.  If a mail security program like Symantec Mail Security for MS Exchange (SMSMSE) is installed on the company's Exchange server or elsewhere in the mail flow (a dedicated mail scanning appliance, for instance) then any threats or other unwanted content should be cleaned long before the messages reach the end users.  SEP's optional mail scanning components are of most use only in very small offices or unmanaged deployments. If a proper solution is implemented elsewhere in the mail architecture, then the SEP plug-in adds provides very limited return for its resource usage.

The SEP 12.1 Outlook plug-in is supported for Microsoft Outlook 2010 on both 32 and 64 bit versions.

http://www.symantec.com/business/support/index?page=content&id=TECH177144

Uhm... I'm not so sure that "it's the same" is the better way to say :-)

I think that with Exchange, the plugin simply is completely unuseful because the component that intercept the malware at the estraction phase is normal AutoProtect. Nothing more.

Outlook autoprotect is the subcomponent of Autoprotect. So its almost the same. The way they interpret the attachement from webclient is what makes it little special :) 

Outlook autoprotect is the subcomponent of Autoprotect. So its almost the same. The way they interpret the attachement from webclient is what makes it little special :)