With MyDoom (aka Novarg or MiMail.R) still going strong, this is a good time to review good practices for using antivirus scanners and Outlook's preview pane.

First, lets talk about server-side antivirus scanners. If you're an e-mail administrator and aren't using an antivirus scanner on the mail servers, shame on you. There are a number of excellent and affordable antivirus scanners available, many also block file types and offer some antispam capabilities.

If you're scanning e-mail for viruses but not limiting the file types you allow into your network, it's time to review your policy on attachments and at the very least block exe, pif, scr, and bat extensions. While Outlook 2002/2003 block these by default, there are a number of ways users can gain access to them. For a complete list of suggested attachment types that should be removed at the server level, visit the Exchange FAQ.

Please disable virus alerts to external users. Too many of the newer viruses are capable of grabbing addresses from any source to use in the To and/or From fields. This means it's highly likely the address listed in the From field is not really the person with an infected computer, yet they have to deal with the warnings sent by your scanner. Believing the warnings are true, the recipient wastes valuable time scanning their systems to insure they aren't infected. Others are unsure what is going on and open the message and attachment. To make matters worse, MyDoom includes a list of approximately 20 common names which it adds to domains it discovers, often resulting in a flood of NDRs when the virus scanners send out warnings.

Robert Crayk, an administrator and fellow Outlook MVP, had this to say:

"I spent more time today assuring clients that they haven't got the virus because of these types of NDR. The worse one had this as part of their text:

"This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus.

If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus."

I told my client that if the NDR sender had a better administrator 90% of their problems would disappear."

Be a better administrator - disable the external warnings.

Up-to-date antivirus definitions on each desktop will help prevent most viruses, but it can lead to a false sense of security with new, fast moving viruses. As many administrators discovered with MyDoom, a new virus can infect a large number of desktops before they have time to get the antivirus software updated. Removing attachments, including the zip format, from incoming mail is the only way to provide 100% protection.

While it's easy for administrators to run an antivirus scanner on their Exchange server, smaller businesses and home users often rely on the email scanning feature found in most desktop antivirus scanners. While email scanning works, it comes with a cost - it slows send and receives, uses more resources, and often causes Outlook to crash. Older scanners use a popproxy to intercept messages and scan them, resulting in send and receive problems.

With all these problems, how important is it to scan mail at the desktop? Keeping in mind that Outlook blocks executable file types and all attachments are saved to a SecureTemp folder before they are opened, a little bit of common sense and your desktop antivirus scanner set on autoprotect eliminates the need to scan mail as it arrives.

1. Think before opening attachments you didn't request. Don't open attachments you weren't expecting or are suspicious about, especially if they don't include a message from the sender explaining why the attachment was sent-don't rely only on the virus scanner for protection, as it's only as good as its last update.
2. Don't unblock all of the file types Outlook blocks, remove only those types you use often and consider unblocking them only long enough to save the attachment.
3. Visit windowsupdate.microsoft.com and officeupdate.microsoft.com regularly.

These three simple steps can and will prevent many virus infections. For added security, use a firewall that renames or removes attachments.

Every time a new virus or worm makes the news, Outlook users always ask if it's safe to use the preview pane. An article about MyDoom, published last week by InternetWeek.com, added to the confusion when it stated "All that the worm needs to propagate is a user that has an open Microsoft Windows preview pane in Outlook" and "If this Outlook pane is open, the worm automatically scours the user's contacts and files." Both statements are far from the truth.

Outlook's attachment blocking features, added to Outlook beginning with an Outlook 2000 post-SP1 patch released in June 2000, means the preview pane in the later versions is very safe. Coupled with Internet Explorer's iFrame vulnerability patch released in 2001, Outlook's preview is very secure.

Each version of Outlook is more secure than the previous version, giving administrators little reason to disable the preview pane by default in Outlook 2002 or 2003. As always, it's best to stop infected messages at the server or gateway, which means few, if any, viruses should reach user's mailboxes. A responsible administrator will also remove executable file types from messages at the server level. As we all know, when viruses don't make it to the mailbox, the preview pane is 100% safe.

Outlook 97 is very secure, since it cannot render HTML formatted messages. Since users can open HTML attachments which may contain exploits, you'll still need to use an antivirus scanner on the server and/or client.

Outlook 98 is the least secure version. Use Chilton Preview instead of Outlook's own preview pane for the highest level of security. Chilton Preview doesn't render HTML and users can open the message or switch on the default preview pane to read HTML formatted mail.

Preview pane security is much improved in Outlook 2000, especially with the attachment security and iFrame patches installed. Outlook 2000 doesn't run active content in the native preview pane, meaning it's at least as safe to read messages in preview as it is to open them. Chilton Preview makes Outlook 2000 100% secure.

Outlook 2002 has the attachment security features built in, making it very secure, unless administrators allow some file types. However, iFrames may be a problem unless the iFrame security patch is installed. While the native preview pane is very safe to use, Chilton preview can be used with Outlook 2002. Outlook 2002 SP1 allows you to disable HTML rendering on all messages by creating the ReadAsPlain registry key. (See http://www.outlook-tips.net/howto/plain_text.htm)

Outlook 2003's preview pane is very secure and there is no reason to disable the preview pane for antivirus reasons. Chilton Preview won't work with Outlook 2003, but it's not really needed since Outlook 2003 blocks downloaded content by default and users can disable HTML rendering from the Tools, Options, Preferences tab, E-mail Options dialog. [[Update: Chilton Preview was updated in May 2004 to support Outlook 2003]]

Chilton preview is available at http://www.geocities.com/SiliconValley/Peaks/8392/. Since it prevents HTML from rendering, it also prevents web bugs from identifying users. Note that it allows easy access to blocked attachments.