Protecting Microsoft Outlook against Viruses

Viruses can involve Microsoft Outlook in several ways: 

  • A user opens a virus-infected attachment received via an Outlook e-mail message. Because this is the most common way viruses spread, many system administrators block certain attachments at the server or use the Outlook Email Security Update to block such attachments at the client.

  • Messages exploiting certain vulnerabilities in HTML mail can force a malicious file attachment to run even if the user only views it in the preview pane or opens the message. Getting the latest patches for Internet Explorer provides protection.

  • Because of Outlook's easy-to-use programming model, viruses can propagate themselves by reading the Outlook address books and sending new virus-infected messages to everyone found there. However, virus developers seem to be aware of the new security provisions in Outlook, because the latest viruses have included their own SMTP engine to send messages, thus avoiding Outlook's security prompts.

  • This page provides information on how to protect your computer from Outlook-related viruses.

    About the "!0000 with no email address" technique: The message circulating that you can protect against email-borne viruses by adding a contact with the name "!0000" and no email address or your own email address is a hoax. The technique does not protect you. For one thing, adding a contact with no email address ensures that the contact does not appear in the Outlook Address Book at all, so the virus would never see it. Adding your own address just means you'll get a copy of whatever message the virus sends -- if it uses the address book. However, viruses don't need to bother with address books. Some of the latest harvest addresses from other sources on your system, such as cached web pages. See 0000 trick (or !0000 trick) to confuse viruses/worms for more information.

    Outlook Client Protection | Scanning for File Attachments | Confirming File Transmissions | Other Tools | More Information

    Outlook Client Protection

    To protect your machine from becoming infected with a virus received via Microsoft Outlook, you should:

    Install the latest service packs and updates for your version of Outlook

  • Outlook 2002 -- Service Pack 3
  • Outlook 2000 -- Service Pack 3 (note potential problems for Internet Mail Only users) for greatest protection. If you do not want the Outlook E-mail Security Update, then at least install Office 2000 Service Release 1/1a.
  • Outlook 98 -- Outlook E-mail Security Update (see additional information below) for greatest protection. If you do not want the full security update, then at least install the Attachment Security Update .
  • Outlook 97 -- Service Release 2 plus the Outlook 97 Email Attachment Security Update
  • Update Outlook, Internet Explorer, and other Windows components

  • Update Internet Explorer to a "safe" version with all the latest HTML vulnerability updates.
  • Install additional updates that protect against HTML mail exploits.
  • Install a patch for Media Player 7 to protect Outlook from a denial of service attack via a rich-text format message. See Patch Available for OCX Attachment Vulnerability.

  • Tighten e-mail attachment security

  • Block additional file types by adding extensions to the Level1Add key.

  • Consider installing the Outlook E-mail Security Update. We do not recommend this patch for all systems. Do not install it unless you read the documentation and understand what it will do to your add-ins.

    If you install the Outlook E-mail Security Update, you may also want to install these updates that depend on it:

  • If you use both Outlook 2000 and Word 2000, install the Word 2000 SR-1 Update Mail Command Security to block possible unauthorized sending of messages through the plain text or HTML WordMail or "Office envelope" feature.

  • If you use Outlook 2000, install the Microsoft Outlook CDO Security Update to apply the same level of security to the Collaboration Data Objects programming interface.

  • If you use Outlook 98 and need to restore CDO for use by forms or applications, install the Microsoft Outlook CDO Security Update.

  • Block .eml attachments. See Outlook Does Not Restrict Access to EML Attachments.

  • If you choose not to install the Outlook E-mail Security Update, take these steps:

  • Install the Attachment Security Update for Outlook 97 or Outlook 98 or install Office 2000 Service Release 1/1a (SR1). SR1 includes a feature to extend attachment security protection to any type of file. 
  • If you are using Outlook 98 or Outlook 2000, increase the security for HTML mail by following these additional steps to control the security zone for Outlook messages:

    1. Use Tools | Options | Security to set the security zone for Outlook HTML mail to Restricted Sites
    2. Click the Zone Settings button, then OK.  
    3. Select Custom, and then click the Settings button.
    4. On the Security Settings dialog box, choose Disable for all options under these headings: 
  • ActiveX Controls and plugins 
  • Scripting
    1. Click OK three times to save the updated security settings. 
  • You may also want to tighten scripting even in the Restricted Sites zone. See Outlook Does Not Restrict Access to EML Attachments.
  • See Scanning for File Attachments for more ideas on tightening e-mail attachment security.
  • Practice good anti-virus safety

  • Never open a file attachment that you did not expect to receive.
  • Install an anti-virus program, keep it updated and scan all attached files before opening them. Remember that an anti-virus program may not protect you against the very latest viruses. It may only be as good as your last update.
  • Other optional protection ideas

  • You may want to tighten the ability of Windows Script Host to run scripts on your system.
  • On Outlook 98 and 2000, you may also want to use Chilton Preview, rather than the built-in preview pane, because Chilton Preview does not support HTML mail and, therefore, does not leave you vulnerable to a malicious HTML mail message.
  • You can use VBA code in Outlook 2000 or 2002 to convert all incoming HTML messages to either rich text or plain text. See To convert incoming HTML messages to Outlook Rich Text or plain text format.
  • Configure Outlook 2003 to display all messages in plain text. Tools, Options, Preferences, E-mail Options and check the box to Read all standard mail in plain text.
  • Use the Microsoft Personal Security Advisor to check for issues with permissions, hotfixes and other possible security vulnerabilities.
  • Back to Top

    Scanning for File Attachments 

    Instead of blocking certain file attachments, you may want to look at these methods of controlling what happens to attachments.

  • The Outlook Rules Wizard (and other automatic processing tools) can move all messages containing file attachments for a separate folder for later review.
  • ExLife and CaSaveAtt from Ornic can extract attachments from incoming items and save them separately as system files, where your virus scanner can examine them.
  • With Outlook 2000, you can write code to move incoming messages containing file attachments with certain extensions (.vbs, .exe, etc.) to a separate folder for later review. See To quarantine application file attachments with Microsoft Outlook 2000 VBA for sample code. 
  • ScriptCheck is an Outlook 2000 COM addin that notifies users of script file attachments in the Inbox
  • Also, make sure you know what type of file is actually attached. Some viruses use a double file extension, such as .jpg.vbs. If Windows is set not to show the extension for known file types, the recipient will see the attachment listed as a harmless .jpg file, not a potentially dangerous .vbs file. The solution is to use Tools | Folder Options or View | Options, depending on your Windows version, to change the setting to show extensions for all files.

    Back to Top

    Confirming File Transmissions

    If you are concerned about viruses that use Outlook to propagate, you may want to require confirmation of all outgoing messages that contain file attachments. For a code sample, see: 
  • To require confirmation when sending file attachments (Microsoft Outlook 2000 VBA)
  • Another approach is to set up Outlook not to send mail automatically. For Exchange Server users, this means setting up offline folders, working offline and synchronizing periodically. For Internet mail users, the exact settings depends on your version of Outlook, mode and Internet connection type, but you'll generally find the right options in Tools | Services, Tools | Accounts or Tools | Options.

    Note, however, that the latest viruses include their own SMTP engine for sending mail, so these techniques may not actually block virus propagation.

    Back to Top

    Other Tools

    Most versions of Outlook provide a way to filter largish incoming messages. See Download limits to combat Swen for details on this anti-virus tip.

    If you want to provide protection at the server level, as well as on the client, these tools can help: 

  • Anti-virus Tools
  • Content Control Tools -- attachment filtering, among other techniques
  • Other miscellaneous tools:

    EZ Armor Blocks .vbs, .exe and other executable files from being launched from inside Outlook or other e-mail programs. You can still save the attachment and launch it from the file system. Reduces the risk of a virus spreading via e-mail by monitoring all attempts by external programs to generate mail.  
    FXRGCONF Free tool to scan the Windows registry and either reset the registry entry for applications so that Internet Explorer or Outlook prompts you to Open or Save As a file or give you a list of file types and their current setting.  
    JustBeFriends An alternative to Microsoft's Outlook E-mail Security Update, this tool prevents the spread of e-mail borne viruses by controlling the ability of other applications to access Outlook. Works with all versions of Outlook. Requires Windows NT or Windows 2000. 
    NoHTML Outlook 2000 and 2002 COM add-in that works much like our ZapHTML code, stripping HTML content as a user switches from one message to another. Note that Outlook 2002 SP-1 has a similar feature.
    Reflex ScreenMail for Outlook Removes active components, such as scripts, and closes known Internet Explorer vulnerabilities in HTML messages. Scans all attachments with any anti-virus tool available on the client. (Ships with the Reflex Sherlock anti-virus scanner.) Displays a special warning when executable files are found. Scans signed and encrypted messages.
    Watch Your Back Tool to strip HTML content and manage read receipts in incoming messages.

    ZoneAlarm Pro

    Monitor and screen potentially harmful attachments, including .exe files.  See ZoneAlarm Pro MailSafe for more information. Also controls Internet access by programs, such as viruses with their own SMTP engines.

    Back to Top

    More Information

  • How to configure Outlook to block additional attachment file name extensions
  • Viruses Affecting Microsoft Outlook
  • OL2000: Security Zones in Outlook 2000  
  • Description of Internet Explorer Security Zones Registry Entries
  • How Active is Active Content in Email? (NTBugTraq)
  • Update to "A Viral Survival Checklist" (Exchange Administrator)
  • Are Microsoft ActiveX controls dangerous? (The Register)
  • Virus Protection for Messaging -- Microsoft online seminar
  • GFI Email Security Testing Zone -- sends harmless messages to your computer to test various email vulnerabilities
  • SANS Top 20 Vulnerabilities -- Outlook is #8 on the Windows list
  • This page is printer friendly
    Updated Feb 14 2009

    Copyright Slipstick Systems. All rights reserved.
    Send comments using our Feedback page

    Home | What's New | Exchange Server | Outlook | Utilities | Bookstore
    About Slipstick | Feedback | Privacy Policy | Site Map | Archived Pages | Link to Us | Advertise