Tip

Delete mail messages that contain auto executing viruses

You Can View User Feedback To This Tip

If, as I do, you use the Notes mail client at home, viruses like W32.Magistr.39921@mm and W32.Badtrans.B@mm can be a real problem. If they get into your mail file, you can't delete the email message that contains them. If they slip past the server anti virus software at work, you have the same problem. Unfortunately there is nothing you can do in the Notes client that prevents them from executing - this is a real weakness in the present implementation of the ECL.

If you mark the infected message for deletion, when you press F9 to delete it, the virus executes. Fortunately, software like the Norton Anti Virus will catch it, and prevent it from damaging your PC. (These days I am paranoid about keeping my anti virus software up to date.) The real problem is that you can't delete the infected mail message through the Notes client front end.

One solution is writing some code to delete the infected message via the Notes back-end. But that is a lot of work, even if you are a good Notes developer. Not wanting to waste so much time, I discovered a much easier way to delete the infected mail via the back end, and that is via the web browser. This technique works for both local and server mailboxes, and also for the standard R5 mail template, and the iNotes mail template.

1) Ensure that you have the ACL rights to delete a message from the web browser. For a local client you can turn replication off, give "Anonymous" manager rights with delete. (Remember to reset the ACL rights when you are done!). If you get prompted to log into your local client, your ACL rights are not correctly set for this procedure.

2) Open the In-box in the web browser. Click on any message in the inbox, and then use Actions... Preview in web browser...

3) Delete the infected mail message.

4) Empty the trash (this is the step that actually removes the infected message from the mail file.)

5) Close the browser, and you are done.

That's all there is to it. I hope this saves you from wasting the time I spent solving the problem.

USER FEEDBACK TO THIS TIP

  • After having read this tip, I was shocked about the inappropriate implications that Chris is showing here. Both mentioned viruses are using specific Outlook exploits to autorun on anybody's machine, as you can easily verify on the Symantec website (Symantec security response http://securityresponse.symantec.com ). There is no way in Notes to do the same in the notes-client. Of course, you can execute that viral code, if you are launching the infected attachment, but then, that is yourself, executing it, not Notes. In such circumstances, because the virus is using the MAPI functionality, there is a chance, that the virus can misuse Notes, if notes are installed as a MAPI service provider on your machine. This is the case, if you are able to send mails directly from other applications like Word.

    I just tried to mimic the situation, Chris is describing, but it really does not work that way: I disabled NAV (enterprise edition, version 7.5), and send me a mail, where I have attached a file infected with W32.Badtrans.B@mm. After that, I reactivated NAV. As it is usually recommended by most specialists, I did not open the infected message, but deleted it directly in the inbox view. Than hit the F9 key to permanently remove the marked-for-deletion message, and it went away without any further message from NAV. No execution at all, not even the NAV scanner was triggered, which is correct behavior.

    Next, I opened the infected message, thinking, not all people are recognizing viral messages immediately from the subject. Now NAV triggered directly on opening the document and warned me, that it found the W32.Badtrans.B@mm virus, unable to repair the attachment, so that it did quarantine and remove the attachment from the mail-message. From that point on, there is no problem to remove the message in question.

    So my question: what is Chris really seeing as a message from NAV at the moment, he is supposing the viral code tries to execute? How at all did he access the infected message inside the notes client, did he open the message, if so, why did NAV not kick in at this moment? Is the NAV Mailsupport configured correctly? Unfortunately, the tip does not give enough detail, to really analyze the situation.

    —Jens-B. Augustiny, Certified Lotus Professional (CLP)

This was first published in January 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.