Other issues in this category (21)
Monday, November 16, 2020
Can emails that don’t contain malicious links suddenly become malicious over time?
Is that possible purely theoretically?
A question from one of our readers
And here is our answer to the question: No, unlike food, emails don't have a limited shelf life. They don't spoil.
An email consists of a number of header fields and one or several data sections. When a message is transmitted across the Internet, information can get added to the header fields. When emails are processed by mail servers (when a message is being sent, forwarded or received), the server can also add signatures to the messages, change information in the header fields and discard the attached files. However, the stored message itself remains unchanged and, consequently, can't become malicious.
However, if an email is malicious from the start (a previously unknown malicious file is attached to it) or if a link contained in the message points to a website that has recently been compromised or purchased by threat actors, the message will still pose a threat. Furthermore, a website whose URL is found in a message can become malicious at a later point after the message has been sent. By doing so, attackers ensure that their bogus emails don't get blocked or removed when they are examined by a mail server. We described this threat in one of our recent publications.
And this creates big problems for anti-viruses. Email clients such as Office Outlook store in their databases messages whose format is only known to the application's developer. Of course, malware researchers may be able to extract data from files of this kind, but there is no guarantee that they will be able to decipher everything. Partial support for Microsoft Word document formats by other office suites is another good example of how certain compatibility issues can't be resolved. Because of proprietary document formats, third party developers can't create fully compatible products despite years of research. There are always documents that won't be displayed properly in other office suites even though, on paper, they support the formats.
The same is true for email databases. Anti-viruses can scan them but can't remove the emails. We’ve already talked about Outlook, so let's discuss The Bat! now.
This email client stores messages in MESSAGES.TBB files. Well-designed anti-viruses can parse messages found in the database. However, if a threat is detected, they can display a warning but won't be able to delete it.
As a result, the only option left for an anti-virus is to delete the entire email database—a likely possibility in situations when the user chooses to run a full system scan and specifies "Remove" (rather than "Move to the Quarantine") as the desired action to be performed with identified threats.
But let's assume that a user has run a custom scan and discovered that the email database contains an old malware-laced message and decides to delete it manually. And here is yet another pitfall. The message may have already been deleted but is still in the database. That can happen because deleted messages can be treated the same way as deleted files. They are marked as deleted but may remain in the storage. To ensure that a message is deleted, the user may need to perform additional actions, e.g., compress the mail database.
Why doesn't the data file get smaller after I have removed some emails?
That happens because deleted messages remain in the database, more specifically, in Outlook's .pst file. To decrease the file's size, you need to compress it.
Note, though, that database compression may be unavailable for certain applications or application versions.
It has been noted that the data file gets overwritten in Outlook 2016. However, the file doesn't get compressed automatically.
The Anti-virus Times recommends
To completely remove a message, remove it from the Deleted folder (or the similar folder in your application) and compress the mail client's data file if possible.
SpIDer Guard's option to scan archives and email files is disabled by default because an infected file in an archive or a mail data file doesn't pose a severe threat to a system given that it can't be launched instantaneously. To launch such a file, it first needs to be extracted from the archive or the data file and written onto a hard drive as an actual file—something the file monitor will never let happen. If one of these options is enabled for SpIDer Guard, the anti-virus may require a large portion of the system memory to extract and scan the archived content. And if, for some reason, the system is unable to allocate the required amount of memory to the application, the hard drive will be used instead, which, in turn will slow everything down even more. Enabling these options does very little to improve overall security but increases the anti-virus's memory footprint. For example, if an archiver or a mail client is being used extensively, the anti-virus will increase overall CPU, memory and disk usage because it will have to scan the bulk of a constantly modified database or archive over and over again.
Add mail data files onto the anti-virus's exceptions list, but don't forget to scan them periodically.
Store email messages on the server. In this case, they will be checked every time they are downloaded.
There is one more way to ensure that no suspicious message ends up being stored on your computer. The idea is to first download only message headers from the server and to delete unnecessary emails on the server, without downloading them to your computer.
Bear in mind though that messages from familiar-sounding names may be part of a phishing campaign mounted by scammers.
And here is a recommendation that you probably shouldn't relay to your superiors. If you do, you can always say that this piece of advice came from the police. 😊.
Furthermore, never rush to open attached files even if they are from your friends or colleagues or have been sent on behalf of a well-known company.
Don't forget, malicious programs exist that are still unknown to the anti-virus. It will learn about them sooner or later, but it can't recognise all the malicious programs in existence at any one point in time.
Executable files do not necessarily have the EXE filename extension. If you see an attached file whose name has some unusual extension affixed to it, don't open it.
Pay attention to filename extensions. Files with the following extensions may be particularly dangerous:
-ade adp bas bat
-chm cmd com cpl
-crt eml exe hlp
-hta inf ins isp
- jse lnk mdb mde
-msc msi msp mst
-pcd pif reg scr
-sct shs url vbs
-vbe wsf wsh wsc
Malware files are often disguised as ordinary image, audio, and video files. Enable the option to show extensions for known file types to see the actual extensions filenames have.