Helping people with computers... one answer at a time.

Scanning your email for malware in real time as it downloads to your machine sounds like a great idea - until you start losing email.

You've said you're not a big fan of real time email scanning ... can you tell me why? Is there another way to scan it?

I base that mostly on the problems I see reported here that are solved by turning real-time email scanning off and using alternatives instead.

The tools have certainly gotten better over time, and it does feel like I'm seeing fewer problems, but fewer isn't the same as none at all.

I'll describe what I mean by real time scanning, the problems that it's known to have I've seen it introduce, and the alternatives I prefer.

Real Time Email Scanning

To me "real time" email scanning is exactly what the term implies - email is scanned for viruses in real time as it's being downloaded into your email program. If a virus is detected that specific email is marked or disposed of in some way.

It sounds ideal - with it turned on presumably you can trust that if something actually was allowed to make it into your inbox by the scanner it's likely to be malware-free.

"One of the most important skills you can develop as an internet user is the ability to detect suspicious emails."


Unfortunately, I've seen too many cases of these scanners running amok.

Real Time Email Destruction

The most common scenario I hear about sounds like this: "all my email is being deleted as it's downloaded".

That's almost certainly a real-time email malware scanner gone berserk. For whatever reason it's decided that every piece of email you're getting contains malware or is spam. As a result it's dutifully deleting them.

Every piece of email you're getting.

This is easily confirmed by turning that "feature" off in your anti-malware or anti-spam tool, and suddenly subsequent email resumes normal delivery.

Real time scanners have been implicated in more random email loss, email display issues as well as email program crashes.

As I said, I appreciate the concept, but the failures are still too common and the nature of the failures too severe for me to feel comfortable with them. Turning the feature off still corrects too many problems.

The Alternatives: Common Sense and On-Demand scanning

One of the most important skills you can develop as an internet user is the ability to detect suspicious emails. You know the drill: bad grammar, asking for private information and passwords, selling you suspicious merchandise or posing improbable scenarios. Those are all things you should be able to identify yourself without the need of some add-on tool.

And then there are attachments.

Naturally it's very easy to say "don't open attachments that you don't expect, or that you aren't 100% certain of".

On the other hand, to paraphrase a friend, if you get an email promising you that the attachment has dancing bunnies, you're probably going to do whatever it asks just so you can see the dancing bunnies.


Scan the attachment first. Save it to disk, and then run your anti-malware tool(s) on the contents of the folder you saved it to.

If you like, exit your email program and instruct your anti-malware tools to scan all of your mail.

That on-demand scan doesn't interfere with your email program if the email program's not running. It's not going to prevent mail from being delivered because it's already been delivered.

It's simply going to scan the files already on your disk.

And presumably warn you if those bunnies will bite.

My Recommendation

My bottom line recommendation is this:

  • Turn off real-time email scanning in your anti-malware tools

  • Learn to spot and avoid malicious emails, even if - heck, especially if - that means you'll miss out on some dancing bunnies

  • Run on-demand scans for anything you think might be suspicious, but that you can't resist opening

  • Run a daily full scan of your machine for anything that might slip through. I do this at night when I'm not using the machine.

And if you do leave your real-time mail scanner enabled because you've never had a problem - you might at least suspect it if suddenly email starts getting deleted out from underneath you.

Article C4715 - January 20, 2011 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
January 25, 2011 6:09 PM

Thanks Leo for this excellent article. Not only do I wholeheartedly agree with the points you made, I've practised this for years.The main reasons why I stopped realtime scanning for viruses and spam were exactly what you mentioned - deletion of email or extremely slow downloading of the mail into my email client.If there was a suspect email, it would get "stuck" and prevent the rest of the mail being downloaded (this was with Norton AV).Quite similar to an email being stuck in the Outbox and preventing other mail from being sent.I figured there had to be a better way and turned off all email scanning. To be honest ,a lot of my friends declared me crazy for doing so, but I started using an email pre-scanner like POPPeeper and others.
In addition I use Sandboxie.With this I can either run the email client sandboxed or if webmail, the browser will be sandboxed and even if I were to download an infected attachment, it stays sandboxed even if I run it - so nothing really gets into my system.
To me that's the way to stay safe.
Your point about safe practices is well taken ,because it's your first line of defense.
However, with the tools that I use ,it becomes less critical, because of the sandbox protection.BTW ,if a malicious attachment were to be executed in the sandbox , my AV (Avira) will pick it up immediately even tho it's not on my real system yet.On occasion I've let it run to see what would happen and in some cases some "real" havoc was created, but it all stopped when I deleted the sandbox.One example would be the fake Antivirus 2010 which a lot of people got on their computers by clicking on a link and then had a lot of trouble removing it. I ran this on purpose and when I was done "playing" ,just deleted the whole sandbox leaving no trace of the malware on my system.
Just my approach ;)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.