Symptoms
While TeamViewer Endpoint Protection was scanning the Outlook archive(.pst or .ost) it detected one or more attachments as malware and marked them as Infected.
Diagnosis
Malware sent in Outlook is fairly common these days. Small and Medium-sized businesses receive many targeted or mass malware campaigns on a weekly bases.
Historically Microsoft improved Outlook to allow Security Vendors to be able to clean malware in Outlook archives however, due to old implementation on how OST and PST works on a Windows system removing malicious attachments is sometimes not possible.
The possible causes for when Malware cannot be removed from Outlook archives (.pst or .pst) are:
- TeamViewer Endpoint Protection was recently installed on the system and the Outlook archive contains older attachments which were corrupted by another security solution in the past. In this situation, the file hash is still present while the content is not there anymore.
- The Outlook Archive is older than 1 year and it was never compacted. While the .ost and .pst data structure are very efficient for e-mails it is not as efficient when it comes to attachments.
- The detection occurred in a secondary archived e-mail account which is not being used that often by the user.
- TeamViewer Endpoint Protection Outlook add-in is not active on that system and the scanning engine did not have the proper rights to delete the infected attachment.
- The detected malware attachment is a type of malware where the malware signatures available to that day do not have routines for cleaning yet.
Solution
We are always improving our methods dealing with Outlook malware as attachments in the OST and PST archives and we rely on your feedback and reports to further improve it.
You can perform the following actions to clean/remove the infected malware attachment from Outlook.
1) Open Outlook on the detected device and search for the detected e-mail and delete both the e-mail and the attachment.
- The subject of the e-mail will be reported in the Threat detail dialogue.
2) If you cannot find the e-mail in question please compact the archive and trigger a scan on the PST or OST archive with Outlook closed.
- In this situation, the scanning engine will have all the necessary rights to remove attachments due to the fact that Outlook does not have the archive open.
- PST and OST compact/cleanup/compress Operation: Microsoft Knowledge Base article
If the case that the first 2 operations failed please get in touch with our support for further investigation into the situation. Create a ticket
- Mark your Subject: Outlook Malware - cannot find attachment
- Attach a copy of the threat details from the Management Console and the path of the infected item.
- If you want to send a file for analysis please archive it as zip/rar and password protect it with the password: infected.
