Is there an antivirus that does not slow you down?

Bill states:

Isn't it true that one previewing their e-mail is viewing downloaded data with the objective to delay the opening of the file until verified; and if an infected file is not opened it cannot propagate into the system?

 

Okay - here goes - first and foremost, I think that everyone should have:
1. A good software firewall
2. A hardware firewall (NAT)
3. An updated AV with active monitoring turned on all the time
4. Self discipline.

I use Norton AV and I do have active monitoring on all the time and I think everyone should have it on all the time. The originator of this thread wanted to know how to minimize performance impact.

As for performance impact - scanning email is a given and for me a worthy delay - I agree with you completely billybob. But I think the hit Sallam was talking about is different. Any program that scans all disk writes does impact performance. And with a 700AMD, he is likely to feel it.

Also, brett is right, viruses do not need to go out by email - they hunt for other available ports and holes that MS failed to block - and that is where a good firewall comes in.

KenKeith - I am not sure of your question - but having autopreview turned on in Outlook, for example, is different from what I am talking about. In Outlook preview, yes it is already downloaded and opened and a potential danger. With Mailwasher type programs, it is not downloaded so you are safe. It can tell you if there are attachments but you cannot view them because they are not downloaded. The idea is that you can determine if it is a legitimate email you want or not. And if not (or if you are unsure and want to be safe) you can mark it for deletion and Mailwasher will delete it for you. Then, when you open your email program, that deleted item will not be there to be downloaded.

later...

 

BillyBob wrote:

You'll have created firewall rules permitting your e-mail client to establish a connection; you (hopefully) will not have created similar rules for W32.Trojan.Password_Pincher! The latter will, therefore, hopefully be blocked!

 

It is not just that we have set the firewall to allow email or browsing. Extreme bad guys can also use FTP or UDP or other open ports to get in (or back out if already in). And I would hope that every firewall out of the box is default set to watch those and all other ports - If you connect to the Internet, you become vulnerable. Period. The only way you can be 100% safe is to physically disconnect from the internet. But you can be 99% safe with a personal firewall, updated AV, and self-dicipline, that is don't open unknown unsolicited attachments or email - even if it is from someone you know - as you all know, some viruses read address books and send themselves along to the contacts it finds.

I recommend everyone check out Steve Gibson's security site (grc.com). There you can get LeakTest to see if your system has any holes (although as I type this, the test site is down for maintenace for a day or two).

 

brett

Wouldn't that require that the Trojan in question to come up with a window asking if I wanted it to have accces or not ? The same as Eudora or other programs do ? Otherwise how would I even know it was wanting to go out ?

Bill

I agree with that. But that also was what I tried to imply when I wrote about it being a COMBINATION of Software and user.

I agree with Norton not slowing things down too much. But I have also had to turn off things like checking the Floppy at shutdown. Not that it necessaraly will but CAN hang up a shut
down forever.

Most software of any type may need a little user intervention to make it work properly on their system.

KenKeith

I will need to wait till I get some e-mail to check this out ( to be sure for myself ), but I am quite sure that Bill is correct. You can not open attachments with MailWasher. I know it will not download mail.

I know he is correct about OE & Outlook. Auto preview enabled can be a little dangerous.

If you hit the Process Mail button it will start your normal e-mail program for downloading to the PC.

BillyBob

 

BillyBob - I thought about shutting down check for floppy but decided against it when a friend of mine borrowed a floppy at work, copied a couple files he needed and brought it home. The borrowed floppy had a boot sector virus. He slapped it into his wife's new PC he had just built but had not installed an AV yet (you can see where this is going...). Sure enough, he left it in the system and next time he rebooted, it tried to boot from floppy and he was successful in infecting her new system.

That's one reason I set my bios to not boot from floppy first.

So if you ever bring home a borrowed floppy, be careful!

 

BillyBob wrote:-

Yes (although some malware does have the ability to shutdown a firewall).

I think we might be misunderstanding each other. I thought that you were suggesting that a firewall wouldn't stop egress communication/transmission by malware because such communications/transmissions would invariably be routed through an e-mail client which, of course, would already have permission to connect. But maybe you were suggesting something else?

 

Yes. Very carefull.

My neighbor wanted me to check out a floppy to see it if would boot my machine.

Now mind you I already knew that he had had at least one Virus infection and refused to run AV software properly setup. And would not redo or AV check his boot disks. He said NO need to.

My answer to him was;

Do you take me for an IDIOT ? If it won't boot your machine what makes you think it will boot mine. I do not know why but he has not asked me for help since. But he did mention that he had another possible Virus infection.

My answer there was; No Comment.

BillyBob

 

Gee BillyBob - I am really sorry you lost such a wonderful and thoughtful friend!!!

 

brett wrote

Yes that was in my thoughts also. ( shutting down the Firewall and/or AV )

And you could not be more correct as to * Possible *
misunderstanding. Which is very easy to do via this method of communication.

And I am very pleased to read that you see it that way.

But in general here I think you understood correctly.

But I believe that we all will agree to the fact that doing all that we can to stop the **** from getting to the machine it the first place is the better way to prevent problems. Even if it does result in a slight system slowdown.

To repeat what I have said before. " Speed is my LOWEST priority. " Protecting the system and keeping problems to a minimum is my HIGHEST priority.

BillyBob

 

Maybe I am a few generations behind the state-of-the art software to protect systems so please excuse my ignorance.

I am attempting to mentally chart the data flow via e-mail. I assume when e-mail is sent it has to be stored and the receiver's e-mail program opens the file (after being scanned by protective software) and attachments are not scanned and the system is vulnerable because attachments can not be scanned. If I take literally Mailwasher's function, the receiver's Mailwasher program re-establishes a connection with the sender when and if the Process Mail button is hit and then the data is downloaded?

 

MailWasher is capable of neither downloading or sending Mail. Apparrently it only READS the mail ON THE SERVER.

In order to actually download or send mail we must use our default E-mail program.

Such as OE or in my case Eudora.

If you check the mail with MailWasher and get out of it, the mail is left on the server. Unless we chose to delete some of it.

The Process Mail button will only do whatever we have checked for it to do. Delete and Bounce or just delete. ( best choice ) And it can be set to start our normal e-mail program.

And if neither box is checked it will just start our normal e-mail program ( if we have it set to do so )

But the rest is left on the server for the regular e-mail program to download. And will stay there until we do something else with it.

I am not totaly aware of how it works but it sure helps to keep unwanted stuff off of the machine.

Look Here

BillyBob

 

KenKeith - you're basically half way there. If you send me an email, your email goes through your mail server which is probably maintained by your ISP. It then bounces around the world a couple times and ends up on the mail server that provides me mail at my ISP. Then when I call up my email program, it polls the email server asking if there's any mail for me. At that time, if there is mail, the mail server uploads it and my email program downloads it.

Mailwasher does NOT send mail - sorry BillyBob.

Where Mailwasher comes to play, is, after configuring MW with my account or accounts (that is my smtp server address, pop3 server address, my user name and password) it then polls my email accounts just like a mail program, only it does not download it. It then lists my waiting email, displaying who it is addressed to, from , subject, date, size and if there are any attachments. I have the option of previewing the mail (in text format only - but that's enough to check it out) and/or view the header. If I am leary of the email, I can mark it for deletion, add that address to my blacklist, or even bounce it back to the user as though my address was invalid (see note below about bouncing). Since MW has it's own spam filters, it may mark an email from a friend as spam. To prevent that from being deleted, I add my friend's address to the friendslist then MW will not automatically detele it. After I have marked any email for bouncing/deleting, I click on "Process Mail" and MW does as instructed on my mail server at the ISP.

All this is done without my Outlook even running. (In fact, I have MW running all the time on my old system and Outlook is on my new system). My outlook is configured to check for new mail only when I tell it to - that way I won't accidently download an email before MW has a chance to look at it.

Finally, in my case, after I hit Process Mail, I tell Outlook to check for new mail - it then finds only the email I said MW could let through. I say in my case because you can configure MW to open your mail program after processing. I don't do it that way because my Outlook is on a different machine from MW.

Hope that helps.

Now about Bouncing. It was either Brett or BillyBob (I'm too lazy to go back and check) that mentioned that often spam does not always come from where it appears it has come from. That's because spammers often steal another address and send a couple million emails out with that name. This causes problems for the hijacked address owner because then he gets blammed for spamming - often he is totally unaware until he finds out his address has been added to blacklists and all his own mail gets bounced! So if you bounce an email - it may just go back to some unsuspecting user who's wondering why you are bouncing mail back to him. What I found to be a problem with bouncing is that more often than not, the spammer has an invalid return address and so the bounce bounces! And so it is just easier to mark it for deletion and add the address to my blacklist.

 

... or, for the mathematically minded, PopFile makes an intriguing alternative!

POPFile uses a technique called Naive Bayes to calculate the probability that the words in an email mean that that email falls into a specific bucket.

A bucket is represented by a collection of words and their frequency. The set of buckets is called the corpus and determines that different buckets that an email can be placed in, the probability of an individual word existing in an email for a specific bucket and the probability of an email being in a bucket to start with.

Suppose there are n buckets B1 to Bn and there are m words in total W1 to Wm. We want to know for a specific email E which bucket it is most likely to belong to.

We want to calculate the P(Bi|E) for each bucket Bi. That calculation can be performed using Bayes rule as follows

P(Bi|E) = (P(E|Bi) x (P(E))|P(Bi))

Here P(Bi|E) is the probability that email E is in bucket Bi; that is the probability that given a set of words E they appear in bucket Bi.

P(E|Bi) is the probability that for a given bucket Bi the words in E appear in that bucket.

P(Bi) is the probability of a given bucket; that is the probability of any email being in bucket Bi.

P(E) is the probability of that specific email occurring.

To calculate which bucket E should go in we need to calculate P(Bi|E) for each of the buckets and find the largest. Since each of those calculations involves the value P(E) we just ignore it and pretend that we need to calculate

P(Bi|E) = P(E|Bi) x P(Bi)

First E is split into the set of words in E, call them E1 through Eo. To calculate P(E|Bi) we calculate the product of the probabilities for each word. That is the likelihood that each word appears in Bi. Here's the "naive" step; we assume that words appear independent from other words which is clearly not true for most languages!

P(E|Bi) = P(E1|Bi) x P(E2|Bi) x ... x P(Eo|Bi)

For any bucket P(Ej|Bi) is calculated as the number of times Ej appears in Bi divided by the total number of words in Bi.

P(Bi) is calculated as the total number of words in Bi divided by the total number of words in all the bucket put together.

Finally we calculate P(Bi|E) as

P(Bi|E) = P(E1|Bi) x P(E2|Bi) x ... x P(Eo|Bi) x P(Bi)

for each bucket and pick the largest.

 

hmmm...I've always used the formula P(Bi/E) = P(E/Bi) x P(Bi)/ P(E)

 

I stand both corrected and humbled, Zephyr

BTW, the error was exclusively mine and should not be attributed to the author of PopFile (I changed the layout of the formula so that it would display correctly when pasted into the post and fouled up in the process).

 

Like you thought nobody would notice. Such careless regard for the sanctity of the script could easily lead one to other indiscretions such as attempting to cheat on their income taxes. Fie and shame!

 

It's a lie, I tell you! A lie!

 

Simply stated the mathematical expression is designed to do a statistical analysis to determine whether or not certain words or phrases are fairly distributed. If not, what is the probability that certain words or phrases can be attributed to junk mail. If the degree of confidence to sustain favorable probability, the words or phrase are compared to incoming email and majority of junk mail is rejected. With that procedure, good email could also be rejected!

 

Indeed it could; especially if one is in the habit of circulating (free!) hair restoration formulae amongst one's friends

The incorrect tagging of mail is, however, a risk with all forms of keyword based filtering. It's swings and roundabouts - you either look at the spam (or, at least, its headers) or run the risk of losing a mis-tagged mail. Or, better yet, be careful with your email address so as to avoid UCE merchants and to avoid the need for filtering.