Antivirus feature creates a burden

Security experts urge administrators to turn off a feature in antivirus applications that automatically replies to senders, informing them that they've been infected.

Munir Kotadia Special to CNET News

See full bio

Munir Kotadia

Jan. 28, 2004 1:37 p.m. PT

2 min read

A common antivirus feature that automatically replies to e-mails infected with a virus--to inform the senders that they are infected--is obsolete and should be disabled, because it creates almost as much trouble as the virus itself, according to security experts.

When an antivirus application detects malware in an e-mail, such as the recent MyDoom worm, it can automatically reply to senders of messages to inform them that they have been infected. However, virtually all modern e-mail viruses disguise the original senders' addresses by spoofing the "to" field of the reply message with stolen, but valid, e-mail addresses. This means that users receive e-mails telling them that they are infected when they are not, resulting in significant quantities of unnecessary traffic.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

This additional traffic is a further burden on administrators, because it occurs when companies are trying to clean their systems from the virus attack. Jack Clark, technology consultant at McAfee, an antivirus division of Network Associates, estimates that "bounce-back" e-mails play a significant part in slowing down corporate networks and says the feature should be disabled immediately.

"There is no real point in trying to tell somebody that they are infected, when 99 percent of the viruses that are being produced today will spoof the address. On Tuesday and today, people have noticed that the Internet is a percentage slower. The bounce-back e-mails could account for up to 25 percent of this slowdown," Clark told ZDNet UK Wednesday.

Jay Heiser, chief analyst at IT risk management company TruSecure, agreed. He told ZDNet UK that the automatic notification was a good idea a few years ago but that now, the function was obsolete.

"This technique was useful back in the days before people spoofed e-mail addresses, but it is not something that I would encourage right now. The lines are being clogged up with e-mails flying around, not only from the virus, but also from end users that are concerned they have got the virus when they don't," Heiser said.

E-mail systems still produce these notifications, however, and administrators just don't have time to deal with them, according to Clark: "It is the last thing on people's minds. Administrators are too busy dealing with viruses that get into their systems, and they don't see these bounce-back e-mails. It is not a high priority," he said.

Heiser believes that the autonotification feature may have worked as an incentive for virus writers to use e-mail spoofing to give their viruses more time to infect users: "[Spoofing] is a preventive mechanism that the virus writers put in, partly because users were being notified that they had been infected too early. This buys the virus more time to spread," he said.

Both Heiser and Clark urge administrators to disable the feature immediately.

Munir Kotadia of ZDNet UK reported from London.