I just installed an email application for the first time and sent a standard base64 MIME encoded eicar.com file as a Virus Test to see how I am doing so far…

Congratulations… this newbie now has a Virus Test File sitting on his hardrive that got past Avast 4.7 Home Edition without a whimper…

Anyone tell me what I should do now?

Thanks in advance

What is the e-mail client, and was Avast configured to scan incoming? Is it a secure client

Thanks Essex - Robin Hood here lol

I’ve set up Thunderbird 1.5.0.4.

In the Help of Avast I found:

“The avast! package contains the Mail Protection Wizard that can be used for easy settings of mail protection. This program can be started via Start button on Windows taskbar, Start ® Programs ® avast! Antivirus ® Mail Protection Wizard.”

…but there is no such thing in my Start Menu…!

I only have:

1. avast! AntiVirus
2. avast Web site
3. Help

This is only for Windows 9x or Me.
You don’t need it for XP.
Which is your Standard Shield security level? High or Normal?

Thanks Tech. I’ve done a bit of searching and I had better say right now I am using Windows 2000 - fully updated. However, Avast has been installed for about three weeks. About one week ago I installed XP 64-bit as a secondary operating system (running OK but I’m too busy on W2000 to have had much time on it yet). And it is only yesterday that I installed Thunderbird.

According to my searching in this forum so far, the Mail Protection Wizard should be in my Start Menu, but it ain’t.

Resident Scanner says ‘Standard’ but surely a standard eicar test should trigger it? There was a large list to choose from and I chose what looked to be the most simple test to start off with.

ahh… Internet Mail: “the provider is currently running” “scan inbound mail” = enabled sensitivity “normal”

man, I only just found this after two days at it! I don’t want to be judgemental but there does seem to be a lot of stuff scattered everywhere in Avast. The Help isn’t accessible from the System tray either. Anyway, that’s just how a newbie is seeing it…

Getting back to my virus, it look’s like it’s scanning but not getting the very basic test to me.

Hmm…

I assume that you sent it as an attachment, try saving the attachment to your HDD. Thunderbird (sorry I don’t use it) has a different method of storing emails and that can and does cause some problems, like if a virus isn’t found on the way in and you do an on-demand scan avast might find it in the email folder and in trying to remove it, avast can’t extract the infected email part of the folder and can delete the whole file, losing all email in that folder. This is on the FAQs for Thunderbird not to use the inbox for general storage as this can happen with many AVs.

I don’t know how avast would deal with an encrypted (base64 or otherwise) infected email/attachment, after all that is the whole point of encryption is to secure the email. I would expect untill it is decrypted it won’t be detected, that is why I suggest saving the attachment to your HDD as that should remove the encryption ?

Try it on a standard email attachment and see what happens.

Right click the i-icon in the system tray, then click “What is avast! VRDB?”. This will open the help file on that topic buts its easy enough to navigate from there.

Or. just consider the forum your help file.

The location for the help file is C:\Program Files\Alwil Software\Avast4\ENGLISH\HELP\help.chm you can also create a desktop shortcut for it.
You can also use the windows Start, All Programs, avast! Anti-virus, Help.

Thunderbird (sorry I don't use it) has a different method of storing emails and that can and does cause some problems

Sorry David, I do use Thunderbird and I am very familiar with its internals and workings and your comment is completely without foundation.

Base64 encoding is not about encryption or security. All (well almost all) POP3 non-text email attachments are base64 encoded in billions of emails around the world every day. Base64 encoding is what makes it possible to make a binary file attachment look like regular numbers and letters and able to send them through the old as dirt SMTP protocol that was really only designed to transmit text. Avast knows all about base64, it caches the attachments, decodes them to turn them back into the real files and thoroughly scans the real files just as it would any other file.

I recently spent quite some time sending every available eicar virus format I could find through to Thunderbird (1.5.0.4) … and avast caught every one of them with the IM scanner setting at normal.

Getting back to my virus, it look's like it's scanning but not getting the very basic test to me.

Can you tell us how you know it is being scanned - are you seeing the number of messages scanned in the Internet Mail scanner increasing? Are you seeing the subject line of the eicar message recorded in the scanner?

I am just wondering how you are getting the eicar message delivered to Thunderbird at all when most major ISPs and mailing services include virus scans that will prevent even the eicar virus from being delivered.

Could it be that the connection you used to deliver the eicar message from the mail server was a secure session? Those cannot, by definition, be intercepted by avast to scan the messages and, if not stopped at the mail server, will be delivered to the Thunderbird messages store (or that of any other mail client for that matter).

Last but not least, I suspect this is a very short mail message. Could you capture the view of the message source in Thunderbird (select message then View > Message source) … obscure any personal details of yours and then post the result here, if not all of it then at least the message headers?

Many thanks guys.

alan: On Access Protection Control has everything functioning at default, including:

Internet Mail:  "the provider is currently running"
sensitivity: "normal"
"scan inbound mail" = enabled

I sent the eicar from http://www.declude.com/Articles.asp?ID=99

I clicked on the attachment in the inbox today and of course Avast got it straight away. The Standard shield now has an infected count of 1.

So, I sent the eicar again this morning to the same Yahoo! account (Ypops running as well). Clicked on Get Mail in Thunderbird and there it is in the inbox again.

Internet Mail scanner is currently:
Sensitivity = Normal
POP Scan Inbound Mail = Enabled
Scanned count = 0
Infected Count = 0

…maybe it isn’t scanning after all…?

I have attached a .png printscreen of Thunderbird inbox with eicar full message.

Dave: Thanks for the Inbox non-storage tip… Priceless info!

and mauserme: Thanks for the post but my whinge was really from the Programmers viewpoint - I just thought it was a bit stingy to allocate two full lines in a very full system tray menu to ‘Upgrade to Professional…’ and leave us to ‘navigate’ heaven knows where (newbie) to find Help - If I can get it setup to work OK it looks good but I just think the whole thing needs pulling together a bit more, imho. Settings and Scanner look like two different applications for instance - I’m not continuing the whinge, I am on ur side, just explaining. lol

Thank you for your time, all

a quick update…

After roaming through the Ypops forum and Thunderbird forum I changed the port on Thunderbird accounts and Ypops to 111 from 110 (default) and changed the SMTP port on both to 26 from 25 (default) - I then sent the same virus to the same email address again and it got through Avast and is now sitting in the inbox in Thunderbird.

avast, by default, scans only 110 and 25 (the default ports).
In order to scan other ports communication, you need to set them into the ‘Redirection’ page of settings of the Internet Mail provider and boot

thanks Tech - I changed the settings to 111 & 26 in the Internet Mail / Redirect… rebooted the computer… sent the same eicar test to the same email address… started up Thunderbird, downloaded email…

…and it got through.

Avast Internet Mail still at:

Scanned count = 0
Infected count = 0

Are you using SSL communication? Which is your email server, I mean, what do you have after the @ on your email address?
Doesn’t avast detect any of the eicar files? Or it just does not detect the archive files of the eicar ones?

I have no idea what SSL communication is.
email server is in top left corner of the .png 5 posts back

Internet Mail Scanner:
Scanned count = 0
Infected Count = 0

If I click on the attachment in the downloaded email (that hasn’t been scanned) in the the Thunderbird inbox Avast then gives the Alert and deals with it.

For instance: http://www.ssl-forum.com/forum/index.php?showtopic=100&hl=yahoo+mail

It’s not possible to scan SSL (Secure Socket Layer) connections. Avast mail scanner doesn’t support SSL (Secure Socket Layer) connections.
But take a look here: http://forum.avast.com/index.php?topic=10428.0 to see how to set up secure email with avast!.

Since SSL/TLS e-mail is encrypted and decrypted in the client, external virus scanners (including avast!) can’t read or scan it.
The solution is to pass e-mail in and out un-encrypted from your client (Outlook Express, Thunderbird, …) to a proxy program (Stunnel) that does the actual ssl or tls encryption/decryption of the pop3/smtp e-mail and communicates directly with the ISP server on the appropriate ports. Another drivers (OpenSSL) are need as a library of encryption/decryption routines. Stunnel now comes as an installer which installs Open SSL and Stunnel so now you just have to download the installer version from here http://www.stunnel.org/download/binaries.html

Thanks for all your help Tech but that isn’t what I am looking for. I didn’t come here looking for a developers forum. I came here looking for a forum on what I thought was a straightforward Anti-Virus / email scanning problem. I am a programmer myself and if I gave you some of the stuff I work on you would get a headache I guarantee it.

I want something I can look at and trust without thinking about it. I’ve never used an email client since I started using email in 1994, preferring to stick with the relative safety of Web based email. I never had an email on my hardrive before two days ago. I thought I would take a look see at Thunderbird.

What a nightmare.

Many Thanks all for your time but I might be gone some time…

SSL communication is a crypted connection to the mail server. Such a connection cannot be scanned - because it’s crypted. So, it’s quite important to know… I’m not familiar with Thunderbird, but I’m sure there must be an option for SSL (or secure, or something like that) somewhere in the account configuration.

Very little in computers is ever straightforward

Like tech and igor mentioned, the mail scanner does not support SSL transactions. Along with igor’s suggestion of turning off SSL in Thunderbird’s configuration box, you could also try using Outlook or Outlook Express (or another non SSL client) if you still want to (take another chance and) retrieve your email through POP3.

Best Regards…