Avast destroyed over 4k Mails

Today I made a full search with Avast! Free (ver 180413-4) and after a while it found something and because I dont want to wait forever I stopped the search. It found 3 problems, all within my Thunderbird Inbox and older versions of it. Detection was “HTML:Facebook-A[Phish]”. I would have ignored it, because I can look after myself in regards of phishing, but THE ONLY OPTION AVAST GAVE ME WAS AUTOMATICALLY. And that led to the “move” of my ENTIRE inbox to the virus-container, where it NEVER ARRIVED. So now about 3000 Mails are simply GONE except the title, whos saved in another file. Another number of mails is unreadable garbage. In total I LOST 4042 mails over that, and my most recent backup is gone as well because I shifted it to this PC for a short period of time.

Using Win8.1.

I used Avast! for over 10 years and seen some mistakes and ridiculous false positives over the years, I still stayed with you. But this is outrageous! Your software simply destroyed my EMails with an action that should have been reversable! Even using Recuva doesnt help because Avast! completely DESTROYED all data.
So my question is pretty simple. Is there a way to get whats in the virus container? I want my data back that your retarded garbage software destroyed. I cant say it any other way because Im really pissed right now! >:(

If you sett your mail client to leave mail on server, then you always have a backup at your mail provider that you can access using webmail

@ fh…
Open AVAST & go to > Protection > Virus Chest.
Hopefully, your emails will be there & can be recovered.

Regs, Mike…

Well setting TB to leave server-mails wont help me now. I contacted my mail provider and they restored all they had. Not much, but at least something.

@Mike23: the Virus Chest contains 3 false positive .exe files, but not my Inbox. Despite the report saying that the Inbox was moved to the chest.

Is there a way to dump all content of the Virus Chest into a folder or something? Maybe the transfer didnt finish but the bulk is still there.

Dumping the virus chest even if it were possible wouldn’t help, the contents of the virus chest are encrypted (and renamed), unless it is avast restoring the files then they would remain encrypted.

Email folders aren’t like normal explorer folders. I believe they are more like database files that contain the emails in that email folder. See attached example of my Thunderbird folders when viewed in windows explorer. Notice the ‘Inbox’ file (it doesn’t actually show a file type), that is I believe the database file where the individual emails are contained.

You don’t actually see individual emails, but on a scan avast can see within that file and report anything it detects. It may well try to send the email to the virus chest according to your settings or choice. If it can’t extract the file from the inbox file to send to the virus chest then it would try the second or third option in your mail shield settings.

The likelihood is that one or other of those options would try to send it to the chest and if that fails the next option may be deletion of the archive file containing the detected email. and now your inbox file would go. But it looks like that failed as you don’t see it or any email in the virus chest. Even if it were in the virus chest and elected to restore it, that too I believe would fail as it doesn’t really know how to fit it back into the database file.

Personally on-demand scans are of little benefit and there are quirks involved also as outline above.

  • With a resident (on-access) scanner the need for on-demand scans is much depreciated. For the most part dormant/inert files are being scanned, the other active files are going to be scanned by the resident shields when they are activated.

See my Mail Shield settings - I don’t believe they are defaults - I don’t allow Avast to take any autonomous action, so my first Option is to Ask and the second is that fails (almost impossible) is to take No Action.

Notice the bit about Archives and said Inbox is in effect an Archive multiple things stored within one file, so if you have the option to remove the whole containing archive if it fails, you have just lost your inbox.

@DavidR: thanks for the answer. As far as I seen it you can open the Input and other Mail-Database-Files with a simple text editor, as the information is stored in plain text. I was able to restore some data from an old backup, but the newest (which I overwrite every now and then) has been destroyed by Avast! as well >:(

I do on-demand very rarely, escpecially to that extend like today. It was a file scan, so the Mail Shield wasnt really involved. I wanted to change the action Avast! should make, but even clicking repeatedly on “Automatically” didnt allow me to change the selection or show a list of options for that matter. Beats me why Avast! cant show that, shouldnt happen. >:(
Mail/Filesystem-Shield Auto apparently means Repair->Chest->Delete. Since it shows in the report “Moved to Chest. Successfull” I guess Avast failed 3 Times!!! with a simple action. >:(

Also besides the file being several hundred MB Avast should not just completely delete it like it did. That is just retarded. Either it should cut out the detected part (like 1 message) or move the entire file to the Virus Chest. >:(

I have been scanning with different recovery tools but so far didnt find intact data to recover. Im searching all my drives if there is a more recent backup, but I dont think I have much luck. >:(

No, David - “Inbox” is no database but a simple text file including all messages, “*msf” files contains pointers to each start of message. Copy “Inbox” and add the extension “.txt” …

@TO
Do you have a backup of your messages? Replace it to the proper place in your TB-profile.
You should hold you Inbox as small as possible & shift mails to other objects like family, common, hobby etc.; so a damage bewteen AV software & mail program will be restricted. Example: my inbox contains about 50 mails; not more. And just this may be to much in an error situation - I’m lazy…

It is more that I believe it is being treated as an archive it won’t be using the .msf file to strip it out (or for that matter to put it back if restored from the chest) and how would this stripped out email be stored in the virus chest, it isn’t a file, but part of a file.

The inbox has always been a bit of an issue (not just for Avast) if you have a system crash open files are at risk of corruption. And if you have your email program open generally the inbox is open.

Currently my inbox is probably as large as it has ever been (image shows 12MB ish) I used to be very active in moving emails to other folders depending on content. If I lost the inbox it wouldn’t be that big a deal, not to mention I do weekly drive image backups.

I also do a daily backup (often several times a day) for more volatile files, and this includes thunderbird, …\Application Data\Thunderbird so I have it pretty well covered for any eventuality. I have always been a belt and braces guy with a robust backup and recovery strategy, many don’t until they actually experience a problem.

Okay, got hold of an older backup and was able to restore two thirds of lost data.

@DavidR: even if I had it in another folder, that one would have been destroyed. And an Antivirus shouldnt destroy data thats not virus. Regarding backups: two instances of backups were destroyed by Avast! while killing the primary file. >:(

The whole situation is extremely shit, and while part of the lost data is still in replied messages in the outbox, received files are gone. >:(

Basically I can live with rare false positives that are reversible, and with the memory leak a few years back, and the annoying “unprotected”-bugs last year or so (even if these things shouldnt happen). But this time I have to ask how far I can trust Avast! at all. I mean, that was not just one mistake, but a ton of them. The acclaimed Message was not detected when creating backups, receiving mails, or in previous scans. Now all of the sudden there is a phishing Mail, that Avast! has to handle (but why?! its not virus, just phish, I know its bad but it requires user input). And it failes a basic action of moving a file from A to B 3 times in a row, destroying the original files and the underlying data on the disk in the process, so that its impossible to recover. This is a shitload of failed tasks, which makes me wonder if this software is reliable around sensitive data. So, yeah, Im gonna look if there is a better, more reliable AV.

I’m an Avast user just like yourself and even if I wasn’t using avast but another AV, the precautions I mentioned would still be in force.

As you can see from my settings image, I don’t allow avast (or any other AV) autonomous action in regard to detections and that included other shields including the file system shield. Most of the shield settings the ‘Actions’ section are very much the same, I always set the Primary action to Ask.

The settings of Avast or any other AV software should be:

The AV software must been allowed to move incoming mail to quarantaine-
The AV software must NOT been allowed to scan the Inbox file.

Backups dont help much if they get destroyed by the AV as well. Also I wanted to change the action Avast took on the detected files (mentioned that earlier): it showed me a white box with “Automatic” and an arrow-down next to it. So it should be some kind of list/select. But pressing it did absolutely nothing, leaving me no other choice than to do automatically. If you make the effort of creating such a window element, it should work as expected. >:(

@stibi: I only once had avast delete an attachment from a spam mail. Currently I think you should NOT let Avast move valuable files to the quarantine, or the might be destroyed.

  1. There is nothing to stop you unchecking the Automatic option for on-demand scan settings, nor is there anything to stop you from changing the ‘Processing of infected files’ options - as in my attached image.

  2. Where are you looking at this Automatic value with a down arrow that has no options ?

  1. I changed it now. Had it on default before because I thought Avast! was capable of something and I also remembered being able to change the action.

  2. The options where on the result-page of the scan, where it asks you what to do with the issues found. It showed the 3 instances of the Inbox and on the right side were the “Automatic”-buttons.

  1. The result page is effectively historic, it is just showing the ‘result’ of the detections and the Action already taken in the scan. You can’t apply any action after it has been actioned already.

If you change the scan settings and click ‘Automatically apply actions during scan’ (see image) it is here that it shows what Actions you want carried out automatically. If I had that set, then my settings for all 3 tabs I would set to No Action, PLUS the options I mentioned previously.

@DavidR: then why bother making it look like you can select it? Honestly that doesnt make sense. It showed it as a button/list and even changed style (color) when hovering and clicking, but with no functionally behind it. Why would you make it look like you can choose an option when it is already processed? Its this kind of stuff that makes me think Avast! is becoming unreliable. This plus the fact that it destroys files it “moves”.

I guess to give it a better layout than producing a listing looking like the original text file.

If you open the avastUI > Protection and click the Scan history, you can select a specific scan that you have run.

Or you can look at the actual report text file, that contains information on all scans and is listed in chronological order, so you would have to scroll down to the bottom of the page for recent scans.
C:\ProgramData\AVAST Software\Avast\report.

But as I have said I’m just an avast user.
Time spent in reconnaissance is seldom wasted, a little time rummaging round the avastUI is time well spent.

At least one backup should always be stored on an disk tha is not permanently connected to your PC.

I only once had avast delete an attachment from a spam mail. Currently I think you should NOT let Avast move valuable files to the quarantine, or the might be destroyed.
If you leave many mails in you Inbox, you can be sure that all of them will go to quarantine with a new, infected object.

It seems he is using GMX mail, and they say unlimited storage >> https://www.gmx.com/mail/mail-storage/#.1559512-stage-expendlist1-1

So if he does as i suggested in my first post, then backup should not be a problem :wink:

I appreciate the help of you all, but sadly that doesnt help get the missing mails back. :frowning: I have contacted Avast via report false-positive section and MartinZ here in forums, as he seems to work for the company. So far I got no answer.

I like my backups local and not in the cloud or on a server somewhere. And that works pretty well. In this case I had to move the primary backup temporarily for privacy reasons, not realizing Avast! would simply destroy every instance of the Inbox it came across. I use Thunderbird for over 10 years now and before that I used MS Outlook. Until now I never lost any mail.

@stibi: Yes I have two older instances of backups. But Im still missing a third of the mails. Its not just the amount, things like this simply should not happen.

@DavidR: my report folder only has aswBoot, BehaviourShield, EmailShield, FileSystemShield, WebShield. In the Scan-History its still there, dunno where its saved. I took a look at the index of the chest and it really only shows the 3 older false positives from some games.

Digging in the files a bit, log of chest shows

14.04.2018 11:59:58 Error 112 in s_NewFile 14.04.2018 11:59:58 Error 112 in chestAddFileRpc 14.04.2018 11:59:59 Error 112 in s_NewFile 14.04.2018 11:59:59 Error 112 in chestAddFileRpc 14.04.2018 11:59:59 Error 112 in s_NewFile 14.04.2018 11:59:59 Error 112 in chestAddFileRpc
Well, destroyed everything in 2 seconds. And from what I can see that happened after I stopped the scan, so if the list/button would have worked it might have been avoidable >:(