Question About Email Protection

[Will_T]

I took the advice and uninstalled Avast in favor of MB 3.0.  So far I generally like the result but I wonder about how MB is actually doing real time protection for email.  I ask because Avast used to alert pretty much every day about some spam email message being infected with something and having quarantined it or something.  These always were actual spam messages that would end up in the spam folder anyway, and then would have been deleted by me.  Now that MB has been running alone for the past many days, those type of messages still go to the spam folder, but there is no MB warning when there is an infection contained.

It may be that I have not received any infected emails in the past week but that seems unlikely as Avast used to catch one or two almost every day. 

Is MB scanning each email message for threats as the email downloads like Avast did?  And if it is, should I expect to get a popup notifying me when an email is infected? I liked the scanning and interception method that Avast uses although overall I like MB much better.

Edited January 5, 2017 by Will_T

[Porthos]

2 hours ago, Will_T said:

Is MB scanning each email message for threats as the email downloads like Avast did?

Simple answer NO.

But if you click a bad link it will block the bad ones it knows about. If you open an RUN an attachment it will stop the attachment from downloading some payload to infect your computer. 

 

[David H. Lipman]

MBAM v3.0 is still an adjunct and does not replace a fully installed Anti Virus application that performs "On Access and "On Demand" scanning on a wide variety of file types.

Depending on the vendor of the anti virus application, it will be MAPI and/or VIM compliant or it will provide an IMAP/POP Proxy service.  Then the anti virus application will decode the MIME based message in one's email client and scan the email body and email attachments when it arrives in the InBox.  Or the Proxy intercepts the email before the email client gets the email message.  Using its extended signature base it can then look at the email and apply its broad range of signatures on a variety of file types without the user actually opening what may be a malicious email.

With MBAM v2.x and v3.x, you have to extract the attachments and then if it is a PE Binary MBAM it can apply its signatures to see if the attachment is executable or you have to click on a link which may or may not be in the web block database.  Since MBAM does not target scripted malware, documents and media files, it won't scan them.  Therefore MBAM will not give the user a warning of there is a malicious MS Word file or if the email contains phishing content.

Not having a fully installed Anti Virus application means that a layer of protection via an early warning indicator and or malicious object removal is not there that an Anti Virus application provides.

 

Edited January 6, 2017 by David H. Lipman

[Porthos]

Thanks @David H. Lipman

[Will_T]

OK - Thanks.  I guess I took that huge banner brag on the MB home page too literally.  Guess I will have to re-install an antivirus.

[Will_T]

So in thinking about this I am not sure I fully understand David's thorough explanation above.  These parts of it makes be believe that (despite what MB is advertising), we should not be removing our antivirus programs in favor of MB 3.0?

17 hours ago, David H. Lipman said:

MBAM v3.0 is still an adjunct and does not replace a fully installed Anti Virus application that performs "On Access and "On Demand" scanning on a wide variety of file types.....

Not having a fully installed Anti Virus application means that a layer of protection via an early warning indicator and or malicious object removal is not there that an Anti Virus application provides.

 

 

Maybe MB should take that big "MAKES ANTIVIRUS OBSOLETE" off their 3.0 home page.

Edited January 6, 2017 by Will_T

[David H. Lipman]

They should but I doubt they will.  I have been saying that claim is disingenuous since the Beta was in Private Release.

Pure puffery. 

 

[Will_T]

39 minutes ago, David H. Lipman said:

They should but I doubt they will.  I have been saying that claim is disingenuous since the Beta was in Private Release.

 

Yeah well I will look to see if I should re-install Avast or go with something else.  I have used Avast for over 10 years, but it seems to me that the recent versions have become much more of a drain on my 8 year old computers.  Sometimes slowing things to a crawl or freezing. Since I uninstalled Avast a week or so ago and installed MB 3.0, the computer has been much faster.   I plan to get a new computer but am waiting until Microsoft releases the next version of the Surface Book and Surface Pro so I give those a fair consideration. I will search here and see if anyone has discussed the antivirus program that works the most efficiently but still provides the real time email protection I am used to with Avast.  If I don't find the answer, I'll start another thread with that question.  Lots of knowledge on this forum.  Thanks again for the answers to my email question.

Edited January 6, 2017 by Will_T

[Telos]

16 hours ago, Will_T said:

OK - Thanks.  I guess I took that huge banner brag on the MB home page too literally.  Guess I will have to re-install an antivirus.

Whoa. Why would you do that? Email scanning by your A/V program is ill-advised and does little other than bog down the email client. But if that's why you want an email program, have at it.

[Will_T]

Just now, Telos said:

Whoa. Why would you do that? Email scanning by your A/V program is ill-advised and does little other than bog down the email client. But if that's why you want an email program, have at it.

Thanks! - That is the sort of advice someone with limited knowledge like me needs.  If you have the time, can you please expand a bit for me.  The reason I thought I should do this is that I liked, (for no educated reason, just seemed good), I liked the warning that Avast gave me whenever an email message in Outlook was infected.  Now if I understand correctly, I am still protected if I ill advisedly click on a link in one of those messages.  But with Avast I would never have a chance to do that as the program would have already told me there was a problem.  But I would really appreciate any further explanation you can offer.  I would absolutely prefer to only have to run MB 3.0.

[David H. Lipman]

Telos:

I am sorry but that is misinformation and incorrect.  To say that scanning email is ill-advised is just plain misinformation.  Having been a network administrator with numerous personnel in varying situations I have seen the value that scanning email provides.  I have seen it segregate, quarantine and eliminate malicious email with and without attachments.  While there is always a delay factor or latency introduced by any anti malware solution, it is not significant enough to dismiss its application adhoc.

I do not suggest people use Webmail.  I suggest that they use an email client coupled with an anti virus solution.  Email is the major source of malware infections that has been implemented in many campaigns from Locky to Pony to Dridex.  Using an email client coupled with an AV solution can great mitigate the risk they pose, their predecessors have posed and what the future has in store.  A person needs the notification that the PDF, DOC, XLS, or Archive file is suspicious or malicious or that the email is a Phish, or Scam, Chainletter or Hoax.  Look at the recent scandals of the US DNC email that was leaked.  DNC personnel were spearphished using Phishing email.  They were lulled into a Phishing site that harvested their email credentials.  If they were not using Webmail and Smart Phones for email and had used an Email Client coupled an an anti virus solution that spearphised email may have been blocked, removed or quarantined.  If they were counseled on proper Safe Hex practices and used due diligence such an event may have been thwarted.

Stating " Email scanning by your A/V program is ill-advised and does little other than bog down the email client. " is just plain bad information.

Will_T:

The "regular" member Telos is not a member of "Trusted Advisors" or any other advanced Forum Group and is actually limited in the anti malware advice he/she may provide here.  Please disregard his/her statement.  Reread what I provided and do your research and you will find I have given you correct and fact laden information.

 

 

 

 

[Will_T]

Thank you very much David.  I have spent a lot of time researching this afternoon.  I really don't want to re-install Avast as my computer is much faster with it gone.  I had pretty much decided to try Bitdefender.  But reading here it seems many have much trouble with it and MB 3.0 playing nicely together.  Some advanced users have said it works fine for them, but I was scared away from Bitdefender by all the other comments.  It seems like the latest basic version of Norton gets good reviews, but I had it years ago and hated what it did to the speed of my system then.  Maybe it is better now?  I also could not find much here on how Norton works with MB.  If I ran an antivirus without MB it would be easy to decide, but I do not want to do that.  I wish I could run only MB but that seems not to be a good idea especially if I like the email scanning function.  But I am having no luck deciding on an antivirus program that I think would work for me and would also work well with MB running at the same time.  Frustrating.  

[David H. Lipman]

I have always been a proponent of Avira AntiVir.  However the Free version does not have an email scanning capability.

 

[Will_T]

40 minutes ago, David H. Lipman said:

I have always been a proponent of Avira AntiVir.  However the Free version does not have an email scanning capability.

 

Thanks David I will look more closely at it. I am more than willing to pay for the right product although once they get up to $50 or $60 per year which several do, you have to look pretty closely at whether they are worth it.  Some of the more expensive versions of the antivirus products actually seemed less attractive than the less expensive or free versions. They had a lot of bells and whistles that I do not need.  I would rather pay for simplicity and efficiency.  Software that fills in what MB does not do seems preferable to software that has a lot of duplication plus all kinds of extra things like parental controls.  Maybe some of the programs let you pick and choose upfront what parts of it to install. I'll go look at Avira pricing and features right now.

[Will_T]

After reading about Avira on a few sites, it does look good.  Interestingly on those sites I found a lot of people singing the praises of Avast, contradicting my experience with the latest few versions seeming to slow down my computer.  Makes me wonder if I had simply built up some trouble by running Avast on this computer for 8 years without any reinstalls or cleanup of any type.  Maybe now that I have had Avast uninstalled for more than a week, ran several cleanup programs and scans on my computer, then installed the latest version of MB, maybe now Avast would run more smoothly.  So it seems I have come full circle here! Or at least narrowed it down to Avira or re-installing Avast.  I think I will let my brain take a break from this for the night and decide tomorrow.

Thanks again to all who have offered advice and their experience.  Makes the decision feel a bit less lonely! Just for completion of this thread I will make sure to post back with what I decided and how it is working.

Edited January 7, 2017 by Will_T

[MarkBevan]

There are plenty of sites out there that test security solutions e.g. AV-Comparatives, Av-Test, MRG-Effitas, SE Labs, Virus Bulletin.  Some of the PC magazines also do a reasonable job e.g PC Mag. There is enough info in there to keep you busy for plenty of hours !

In terms of how much security suites slow your PC down, AV-Comparatives to run a specific Performance Test and Avira does indeed perform well.

The last time I looked properly, I decided on Kaspersky.  Back then it was a toss up between Kaspersky & Bitdefender and they always seem to be near or at the top of any comparisons.

Before buying, you might want to check the websites & forums for any incompatibilities with any other security software you are running.

I would suggest testing the trial version, before buying (to find real world problems on your system).

When it comes to buying, boxed versions via Amazon (other shopping websites are available) are often much cheaper than buying directly from the manufacture, particularly if you buy last years version, which shops don't like to have on display and therefore discount (you can of course update the version after you install).

 

 

[Will_T]

Thanks Mark - That testing site seems to be a good comparison.  The more I read about the testing results of the various programs, the more I think my evolving dissatisfaction with Avast slowing my system down is really a result of my system.  I bought it in 2009 so it is quite old.  I suspect if I had a current computer, I would be happy with any of the A/V program speeds.   Below is a clip for the system information screen:

Win 7 with 4GB RAM
Bios date 9/10/2009 
Intel Core i7
Q270 @ 1.60GHz, 1597MHz, 4 Core(s) 8 Logical Processor(s)

I have been looking to replace it for 6 months or more but have not yet found what I want.  I actually have 2 computers, the above HP Laptop which is 16" screen and heavy.  It just sits on my desk attached to a 24" monitor.  I also have a 6+ year old Acer Aspire Netbook which I take with me as it is smaller and much lighter.  It is also slow.  I want to replace them both with a computer that would fit both purposes, portable and when home, easily attached to the monitor.  I am waiting to see what the next version of the Surface Pro and Book are.  So I may go on compatibility with MB, and recomendations and testing results to pick an antivirus and assume I'll be happy with performance when I get a new computer.  Thanks again Mark.

[David H. Lipman]

The BIOS date is a moot point and has no bearing on this discussion.

Otherwise there is nothing wrong with that platform.  However, if it is a Windows 64bit OS you may opt to add more RAM.  Depending on the make and model of the motherboard/system you may also be able to not only increase the quantity of RAM but apply a faster RAM module.

Edited January 7, 2017 by David H. Lipman

[Telos]

Mr Lipman's knows that real-time scanning provides the same malware protection against malware email attachments, if and when someone unwittingly "open" such an attachment. To scan every email is wasted effort, and many A/V products that provide that capability do so awkwardly with consumer grade email programs. Know too that Mr Lipman began his forum involvement here with a post count of one, so if it pleases him to bash others who lack his posting level and who choose to express their 'net life in different ways, so be it.

[David H. Lipman]

Like I wrote, Telos is a regular member and can not provide anti malware advice.  This Forum has set certain criteria to protect regular members from bad advice. 

As an example; reference:  Groups authorized to help with malware removal logs

MBAM's scanner only targets PE files.  That is MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

MBAM does not target other file types so there is little overlap.  The files that come via email are most often not PE files.  They are Scripted Malware, Documents and media files.   When a malicious email is sent with a PE file attachments, the malicious actors hide the maliciousness of the file.  They may exploit Microsoft's repeated stupidity in setting the OS to "Hide extension of known file types" so when they do send PE files they often use double extensions such as MyDocument.PDF.exe.  The recipient sees MyDocument.PDF because the .exe is hidden and thinks it a PDF.  Or they will use a funky schema implementing character Right-to-Left Override ( aka; RTLO ) which Windows Explorer ( the OS Shell ) interprets and confuses the recipient by hiding the EXE in plain sight.  They may also take advantage of the fact that MS-DOS is a fore-father of Windows and in CP/M and DOS executable files use the .COM file extension.  Windows inherits that file extension as a executable file extension.  Malicious actors will exploit the fact that the original Internet TLDs used .COM  for a COMpany.  They rename a EXE file to something like Google.Com and Windows will execute it as if it had the .EXE file extension.  MBAM will indeed target these.  But MBAM will not flag emails that have a DOC or XLS Macro downloader trojan or JRAT or QRAT.  As I have stated before a MAPI and/or VIM compliant AV solution or one that uses a POP/IMAP proxy will decode MIME and look at not just the attachments but the body of the email. 

Since there is little overlap ( that being PE files ) it behooves the email recipient to segregate, isolate, quarantine and/or delete those malicious emails that do not contain a PE file attachment.  Simply put, there is more to malicious emails than just PE file attachments and the email recipient should be alerted to them and protected from them.

BTW:  I did not get to be a member of this Forum's "Experts" group through posting volume.  I was granted that privilege based upon vetting a few months after I joined.

 

Edited January 8, 2017 by David H. Lipman

[TempLost]

8 hours ago, David H. Lipman said:

Like I wrote, Telos is a regular member and can not provide anti malware advice.  This Forum has set certain criteria to protect regular members from bad advice. 

As an example; reference:  Groups authorized to help with malware removal logs

MBAM's scanner only targets PE files.  That is MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

MBAM does not target other file types so there is little overlap.  The files that come via email are most often not PE files.  They are Scripted Malware, Documents and media files.   When a malicious email is sent with a PE file attachments, the malicious actors hide the maliciousness of the file.  They may exploit Microsoft's repeated stupidity in setting the OS to "Hide extension of known file types" so when they do send PE files they often use double extensions such as MyDocument.PDF.exe.  The recipient sees MyDocument.PDF because the .exe is hidden and thinks it a PDF.  Or they will use a funky schema implementing character Right-to-Left Override ( aka; RTLO ) which Windows Explorer ( the OS Shell ) interprets and confuses the recipient by hiding the EXE in plain sight.  They may also take advantage of the fact that MS-DOS is a fore-father of Windows and in CP/M and DOS executable files use the .COM file extension.  Windows inherits that file extension as a executable file extension.  Malicious actors will exploit the fact that the original Internet TLDs used .COM  for a COMpany.  They rename a EXE file to something like Google.Com and Windows will execute it as if it had the .EXE file extension.  MBAM will indeed target these.  But MBAM will not flag emails that have a DOC or XLS Macro downloader trojan or JRAT or QRAT.  As I have stated before a MAPI and/or VIM compliant AV solution or one that uses a POP/IMAP proxy will decode MIME and look at not just the attachments but the body of the email. 

Since there is little overlap ( that being PE files ) it behooves the email recipient to segregate, isolate, quarantine and/or delete those malicious emails that do not contain a PE file attachment.  Simply put, there is more to malicious emails than just PE file attachments and the email recipient should be alerted to them and protected from them.

BTW:  I did not get to be a member of this Forum's "Experts" group through posting volume.  I was granted that privilege based upon vetting a few months after I joined.

 

Thank you for that lucid explanation, David, I'm sold!

I've junked MSE after a brief flirtation and reverted to AVAST Free Edition with File System, Mail and Web Shields enabled. It also seems to play much better with Malwarebytes 3.05 than MSE did.

Also, I use CryptoPrevent 8.0 Premium on my Windows 7 Home Premium 64x notebook and that does a very good job of blocking the opening of files with duplicate extensions amongst other things.

Iain

Edited January 8, 2017 by TempLost
Additional Info

[Will_T]

Thanks again David for the thorough explanations.  I am going to install the antivirus when I decide in a little while after I read a couple more links I have on Avira.  I now think that my perception of Avast slowing down my system may have been more a problem with my computer rather than Avast. Things are cleaned up and optimized better now.  And, if I go with the paid version of a/v I can turn off all the ads and some of the popups that were annoying.  This raises a couple of questions for me though:

When installing and configuring an antivirus program like Avast, it seems there is some overlap between antivirus and MB 3.0 and I wonder if I should leave the overlap in place or not use them in the a/v program?

For example, Avast lets you pick the parts you install. (See attached screenshot)  Some of these, like Web Shield, Browser Protection, maybe even File Shield, seem like they might be redundant if you have MB 3.0?  Should they be installed anyway or left out?

Other parts of Avast I don't need, either because I have other programs that do the same or just don't want certain things, and it is nice to be able to exclude them when installing.  Examples:  Software Updater, Remote Assistance, Secure Line, Cleanup, Home Network Security, Secure Virtual Machines, and Passwords are all things I either do with other programs, or don't want. I am unsure about antivirus Web Shield, File Shield, and Browser Protection.  Does MB 3.0 cover those adequately? Will enabling them in an antivirus program "increase" the protections, or just possibly create conflicts?

Thanks again for all the help in this thread. 

[David H. Lipman]

I think you are on the right track and tact.

 

Edited January 8, 2017 by David H. Lipman

[Will_T]

20 minutes ago, David H. Lipman said:

I think you are on the right track and tact.

Thanks -  But what do you specifically think about, for example, Avast modules for "File Shield" "Web Shield" and "Browser Protection"?  Do they overlap MB 3.0 and if yes, would you leave them out of an Avast install?  Or install them for redundancy?

[David H. Lipman]

I have not used Avast to provide a "best" reply.  My instinct would be to install them, research them, then make educated decisions and scale back as needed.