Symantec United States
global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2014 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy

security updates

What is an .enc detection?


Last Updated on: November 17, 2004 05:02:50 PM GMT
 

In some cases, Norton AntiVirus detects a threat and adds the extension ".enc" to the name of the detection. For example, if a computer has received email infected with W32.Nimda.A@mm, you may also see a detection for W32.Nimda.enc.

The .enc detection is actually a detection of header information or encoded script which can be contained in an email message. The detection of an encoded script is the result of the script using a vulnerability that affects some versions of Microsoft Internet Explorer, and therefore Microsoft Outlook and Outlook Express. This vulnerability, if not patched with a Microsoft program update, allows a virus, worm, or Trojan to be executed just by reading or previewing the email message. Information on this problem, which is known as a MIME header exploit, can be found at:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp


How it works
The following is a typical--but not the only--scenario:

  1. You receive an email message that has an infected attachment. You have current virus definitions, and the preview function in Microsoft Outlook or Outlook Express is enabled.
  2. Depending on your version of Norton AntiVirus (NAV) and your program settings, NAV detects the infected attachment either after it is downloaded or when the attachment is executed. (If you are using an unpatched version of Internet Explorer, it could be executed without your knowledge.)
  3. NAV detects the infected attachment and deletes or quarantines it. The message, which still contains the (non-infectious) header information, is not deleted.
  4. Each time that you select the previously infected message in your email program, NAV detects the header as <name of threat>.enc.

How to fix the problem
  1. Make sure that you have updated your version of Internet Explorer, or that you are using a version that includes the update. For additional information, go to the Microsoft Web page:

    http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
  2. Note which message is causing the alert.
  3. Turn off the preview function in Microsoft Outlook or Outlook Express:

    NOTE: The following is provide for your convenience. The steps may vary, depending on your version. For additional information, read the product document or online help.
    1. Click "Ignore the problem and continue with the infected file."
    2. Do one of the following:
      • In Microsoft Outlook, click the View menu, and then make sure that the Preview Pane menu item is not selected.
      • In Outlook Express, click the View menu, and then click Layout. Uncheck Show Preview Pane.
    3. Open the Inbox, right-click the infected email, and then click Delete.
    4. Right-click the "Deleted Items" folder, and then click "Empty Deleted Folder."
    5. Turn on the preview pane option, if desired.


Write-up by: George Koris