Personal tools
You are here: Home Security Windows defanged_email
Document Actions

defanged_email

Why is my mail marked ``QUARANTINE''?

E-Mail messages containing attachments which are potentially dangerous to systems running Microsoft Windows are probably the primary cause of ``virus'' infections on these machines as the Microsoft Outlook mail clients often execute the attachments automatically, infecting the machine with worms (also known as ``virus'' or ``spyware'').

Why are .zip files quarantined?

Most of these attachments are files that Windows will execute automatically (e.g. they have a .exe, .com, .pif, or other suffix that Windows uses to determine if a program is executable). In early 2004, these worms started to appear in files with a ``.zip'' suffix, a format normally used to bundle together and compress documents for e-mail transport. This probably was effective because Windows XP would automatically extract the contents of the ``.zip'' files where older versions of Windows required the user to use a program such as WinZip to extract the files. In early February 2004, well over fifty percent of the worms I found were embedded in ``.zip'' files, often with innocuous sounding names like ``document.zip'' or ``readme.zip''.

Bogus Microsoft security updates and messages from your ISP

Many of the messages containing these worms appear to be security updates from Microsoft, notices from your ISP saying that your e-mail account has been disabled, Some even contain encrypted ``.zip'' files with a password in the plain text part of the message, and ask the recipient to unpack the file using that password. This is akin to asking you to pick up the gun, load it, then shoot yourself in the foot -- unfortunately it works all too often!

What is Defanging?

In order to minimize the accidental infection of Windows machines by these worms, incoming mail containing potential worms have been modified to ``defang'' the attachments, changing the file name to one that's not automatically executed by Windows. This allows the recipient to manually change the file name using the right-click ``Save As'' in case the attachment is something useful, and not a worm. Other changes include adding ``QUARANTINE'' to the Subject of the message, and inserting an explanation of the changes made.

These changes increase the size of the message by a few hundred characters, and make it much more difficult to accidentally infect the machine with worms, virii, or spyware. Unlike A/V methods that remove the attachments entirely, this doesn't have any effect on wanted attachments other than requiring a ``Save As'' to rename them.

January 2020 »
Su Mo Tu We Th Fr Sa
1234
567891011
12131415161718
19202122232425
262728293031
 

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: