Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 5498 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to delete Outlook SPAM with a malware payload

PAL77

While using Outlook 2011 for Mac, I've recently received several SPAM messages with attached files containing Windows trojans or other malware.  Once these messages arrive in my inbox, I see a warning from Sophos Antivirus and Outlook freezes.  If I attempt to select the message, it highlights, but no action is possible.  If I right click and select "delete" the highlighting jumps to a random message while the SPAM message remains in the inbox.

While this is happening, the Sophos quarantine manager attempts to delete the threat, but Outlook keeps downloading new copies to the cache.  The only escape requires force-quitting Outlook.  If I then restart Outlook, the problem resumes.
If I access the Exchange server using Outlook Web Access, I am unable to delete the SPAM message, or any other message.  I just get an error stating that there's a server configuration problem.
The only way I can recover from this situation is to log on to a Windows 7 box, open Outlook 2010 and delete the message.  Outlook on Windows has no problem deleting the message.  I can then run Sophos antivirus to clear the cached malware attachment.
All the malware has been Windows oriented, so there's no threat to my Mac, but losing the use of Outlook while being unable to delete a SPAM message is more than a little disturbing.
There does not seem to be any preference I can set to keep Outlook from automatically downloading attachments.
I'm running OS X 10.6.8, Sophos 8.0.5c and up to date versions all the Office 2011 products.
:1008117


This thread was automatically locked due to age.
  • 0

    Update: I posted this on the Microsoft forum, and Microsoft blames the issue on Sophos Antivirus for Mac.  Since the problem renders Outlook 2011 unusable when an email containing the malware is received, it would be nice if someone from Sophos would reply.

    :1008914
  • 0

    Have you tried changing your setting from "Delete" to the default "Deny access"?  My guess is that the problem is in how file deletion interacts with Outlook's message database/attachment storage/message index format.  Encrypting your mailboxes would fix the problem, but then you wouldn't detect any malware in Outlook until you attempted to copy/run it.

    You could also exclude the folder where you store your mailboxes, with the same issue of not scanning the contents.

    The other option is to temporarily disable on-access scanning and delete the offending email from within Outlook.

    :1008954
  • 0

    Hi Andrew,

    The problem first surfaced while SAM was set to "deny access". I changed the setting to "delete" in an attempt to remedy the behavior.  I'll try changing it back. Deactivating on-access scanning after the initial detection doesn't seem to help. It seems that Outlook downloads mutiple copies of the malware attachment once it arrives in the Outlook inbox.

    I suspect that the root cause lies with Outlook, despite Microsoft's denials, but I appreciate you looking into it.

    :1008966
  • 0

    What server do you have backing your outlook client?  GMail over IMAP?  ISP over POP3?  If POP3, do you have it set to keep the messages on the server for X amount of time?

    It'd be good to figure out at which point this weirdness is being triggered (likely that Outlook gives up too soon and re-tries when Sophos has the file handle locked -- but if on-access is disabled, this should not be an issue).

    :1008972
  • 0

    Seeing the same issue with exchange 2010 backend?

    Is there any update to this? 

    George

    :1009912
  • 0

    The best workaround I can think of is to make a note of the file path to the blocked item, and exclude that path from on-access scanning.  Since the path should be a temp path for attachments, the attachment should be moved to a different location prior to being executed, so the threat risk to having the path excluded should be minimal (but it will still exist).

    That said, I'm pretty sure you can configure Outlook so that it doesn't immediately pull down attachments: set it to download message headers only.  If you want the message body, you'll need to grab the attachment as well -- but if you never read the bodies of the infected messages, you'll be able to delete them before Sophos gets its hands on them.

    The problem here has to do with how Outlook stores its data; downloading the attachments happens in such a way that they're stored in the same file Outlook uses for other purposes -- so when Sophos locks the file, Outlook can no longer manipulate the otther messages in the file.

    :1009942