Protecting Outlook against Viruses

Last reviewed on January 6, 2013

Viruses can involve current versions of Microsoft Outlook in one way:

In the past, viruses took advantage of Outlook’s programming capability and weak security and used these methods to propagate:

  • Messages exploiting certain vulnerabilities in HTML mail can force a malicious file attachment to run even if the user only views it in the preview pane or opens the message. Getting the latest patches for Internet Explorer provides protection.
  • Because of Outlook’s easy-to-use programming model, viruses can propagate themselves by reading the Outlook address books and sending new virus-infected messages to everyone found there. However, virus developers seem to be aware of the new security provisions in Outlook, because the latest viruses have included their own SMTP engine to send messages, thus avoiding Outlook’s security prompts.

Beginning with the Outlook 2000 post-SP1 security update, it’s unlikely that anyone will be affected by the HTML vulnerabilities  or viruses that use the address book to propagate. While older versions of Outlook are still in use, virus writers moved on and found newer and better ways to infect computers. In most cases, they use some form of social engineering to convince users to open attachments which then install the virus.

These exploits are not limited to Outlook users – anyone who uses email is at risk from these new viruses – and any that viruses that collect addresses from your computer are more likely to get the addresses from a compromised web-based email account or social media account, not Outlook’s address book.

The best way to avoid a virus infection is to think before opening attachments: if the email message doesn’t make sense, don’t open the attachment.

One time, long, long ago, Outlook’s preview pane was insecure but it’s now slightly more secure than opening a message to read it. In either case, thanks to Outlook’s inability to use “active content” it’s safe to read mail in either the reading pane or an opened message.

This page provides information on how to protect your computer from Outlook-related viruses. While the tips target Outlook, many of the tips apply to any email client.

More Information

Outlook Client Protection

To protect your machine from becoming infected with a virus received via Microsoft Outlook, you should:

Install the latest service packs and updates for your version of Outlook

Update Outlook, Internet Explorer, and other Windows components

Tighten e-mail attachment security

  • Block additional file types by adding extensions to the Level1Add key.
  • Consider installing the Outlook E-mail Security Update. We do not recommend this patch for all systems. Do not install it unless you read the documentation and understand what it will do to your add-ins.If you install the Outlook E-mail Security Update, you may also want to install these updates that depend on it:
  • If you choose not to install the Outlook E-mail Security Update, take these steps:
    • Install the Attachment Security Update for Outlook 97 or Outlook 98 or install Office 2000 Service Release 1/1a (SR1). SR1 includes a feature to extend attachment security protection to any type of file.
    • If you are using Outlook 98 or Outlook 2000, increase the security for HTML mail by following these additional steps to control the security zone for Outlook messages:
      1. Use Tools | Options | Security to set the security zone for Outlook HTML mail to Restricted Sites.
      2. Click the Zone Settings button, then OK.
      3. Select Custom, and then click the Settings button.
      4. On the Security Settings dialog box, choose Disable for all options under these headings:
      • ActiveX Controls and plugins
      • Scripting
      1. Click OK three times to save the updated security settings.
    • You may also want to tighten scripting even in the Restricted Sites zone. See Outlook Does Not Restrict Access to EML Attachments.
  • See Scanning for File Attachments for more ideas on tightening e-mail attachment security.

Practice good anti-virus safety

  • Never open a file attachment that you did not expect to receive.
  • Install an anti-virus program, keep it updated and scan all attached files before opening them. Remember that an anti-virus program may not protect you against the very latest viruses. It may only be as good as your last update.

Other optional protection ideas

  • You may want to tighten the ability of Windows Script Host to run scripts on your system.
  • On Outlook 98 and 2000, you may also want to use Chilton Preview, rather than the built-in preview pane, because Chilton Preview does not support HTML mail and, therefore, does not leave you vulnerable to a malicious HTML mail message.
  • You can use VBA code in Outlook 2000 or 2002 to convert all incoming HTML messages to either rich text or plain text. See To convert incoming HTML messages to Outlook Rich Text or plain text format.
  • Configure Outlook 2003 to display all messages in plain text. Tools, Options, Preferences, E-mail Options and check the box to Read all standard mail in plain text.
  • Use the Microsoft Personal Security Advisor to check for issues with permissions, hotfixes and other possible security vulnerabilities.

Scanning for File Attachments

Instead of blocking certain file attachments, you may want to look at these methods of controlling what happens to attachments.

Also, make sure you know what type of file is actually attached. Some viruses use a double file extension, such as .jpg.vbs. If Windows is set not to show the extension for known file types, the recipient will see the attachment listed as a harmless .jpg file, not a potentially dangerous .vbs file. The solution is to use Tools | Folder Options or View | Options, depending on your Windows version, to change the setting to show extensions for all files.

Confirming File Transmissions

If you are concerned about viruses that use Outlook to propagate, you may want to require confirmation of all outgoing messages that contain file attachments. For a code sample, see:

Another approach is to set up Outlook not to send mail automatically. For Exchange Server users, this means setting up offline folders, working offline and synchronizing periodically. For Internet mail users, the exact settings depends on your version of Outlook, mode and Internet connection type, but you’ll generally find the right options in Tools | Services, Tools | Accounts or Tools | Options.

Note, however, that the latest viruses include their own SMTP engine for sending mail, so these techniques may not actually block virus propagation.

More Information

Most versions of Outlook provide a way to filter largish incoming messages. See Download limits to combat Swen for details on this anti-virus tip.

If you want to provide protection at the server level, as well as on the client, these tools can help:

Also see:

Written by

Diane Poremsky
A Microsoft Outlook Most Valuable Professional (MVP) since 1999, Diane is the author of several books, including Outlook 2013 Absolute Beginners Book. She also created video training CDs and online training classes for Microsoft Outlook. You can find her helping people online in Outlook Forums as well as in the Microsoft Answers and TechNet forums.

If the Post Coment button disappears, press your Tab key.