Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 5499 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to delete Outlook SPAM with a malware payload

PAL77

While using Outlook 2011 for Mac, I've recently received several SPAM messages with attached files containing Windows trojans or other malware.  Once these messages arrive in my inbox, I see a warning from Sophos Antivirus and Outlook freezes.  If I attempt to select the message, it highlights, but no action is possible.  If I right click and select "delete" the highlighting jumps to a random message while the SPAM message remains in the inbox.

While this is happening, the Sophos quarantine manager attempts to delete the threat, but Outlook keeps downloading new copies to the cache.  The only escape requires force-quitting Outlook.  If I then restart Outlook, the problem resumes.
If I access the Exchange server using Outlook Web Access, I am unable to delete the SPAM message, or any other message.  I just get an error stating that there's a server configuration problem.
The only way I can recover from this situation is to log on to a Windows 7 box, open Outlook 2010 and delete the message.  Outlook on Windows has no problem deleting the message.  I can then run Sophos antivirus to clear the cached malware attachment.
All the malware has been Windows oriented, so there's no threat to my Mac, but losing the use of Outlook while being unable to delete a SPAM message is more than a little disturbing.
There does not seem to be any preference I can set to keep Outlook from automatically downloading attachments.
I'm running OS X 10.6.8, Sophos 8.0.5c and up to date versions all the Office 2011 products.
:1008117


This thread was automatically locked due to age.
Parents
  • 0

    The best workaround I can think of is to make a note of the file path to the blocked item, and exclude that path from on-access scanning.  Since the path should be a temp path for attachments, the attachment should be moved to a different location prior to being executed, so the threat risk to having the path excluded should be minimal (but it will still exist).

    That said, I'm pretty sure you can configure Outlook so that it doesn't immediately pull down attachments: set it to download message headers only.  If you want the message body, you'll need to grab the attachment as well -- but if you never read the bodies of the infected messages, you'll be able to delete them before Sophos gets its hands on them.

    The problem here has to do with how Outlook stores its data; downloading the attachments happens in such a way that they're stored in the same file Outlook uses for other purposes -- so when Sophos locks the file, Outlook can no longer manipulate the otther messages in the file.

    :1009942
Reply
  • 0

    The best workaround I can think of is to make a note of the file path to the blocked item, and exclude that path from on-access scanning.  Since the path should be a temp path for attachments, the attachment should be moved to a different location prior to being executed, so the threat risk to having the path excluded should be minimal (but it will still exist).

    That said, I'm pretty sure you can configure Outlook so that it doesn't immediately pull down attachments: set it to download message headers only.  If you want the message body, you'll need to grab the attachment as well -- but if you never read the bodies of the infected messages, you'll be able to delete them before Sophos gets its hands on them.

    The problem here has to do with how Outlook stores its data; downloading the attachments happens in such a way that they're stored in the same file Outlook uses for other purposes -- so when Sophos locks the file, Outlook can no longer manipulate the otther messages in the file.

    :1009942
Children
No Data