I am posting this in two parts. Although the entire post is less than 10,000 characters, including spaces, the Forum software insists it exceeds the 10,000 character limit.
After dealing with this issue for nearly a month, and finding an interim work-around with much effort, I’m summarizing the issue here.
ENVIRONMENT: Workstations running 32-bit Windows XP Pro or Windows 7 Ultimate (with and without SP1), using any of these email clients: Outlook Express 6; Eudora 5.x, 6.x, 7.x; Thunderbird 2.x. Three different sets of POP/SMTP servers are used. All email clients are set to connect to these servers WITHOUT SSL or TLS. The servers do not require or support SSL/TLS connections. Avast! was administered on a network using an “administration console” (type/version is irrelevant) that was set up to push EndPoint client Program updates automatically.
OBSERVED BEHAVIOR: After workstation EndPoint clients were updated from version 7.x to version 8.x, some users began seeing Avast! “Mail Shield Security Exclusion” windows, which displayed a message that “Avast! has identified a problem with [the] site certificate [for the email POP or SMTP server].” The window also says, “This site attempts to identify itself with invalid information,” and “The certificate is not trusted.” This window contains a button whose label indicates that pressing it will permanently record an “exclusion” for the certificate. However, pressing this button does not always permanently stop these messages from appearing.
If that button is pressed, another Avast! window appears saying that Avast! has a “new way” to scan SSL emails, and advising the user to turn on SSL email connections in the email client.
When the actual certificate is viewed using the option available in the “Mail Shield Security Exclusion” window, it is always UNexpired. I do not know what criteria Avast! uses to assess certificate validity, but the certificates of three different sets of POP/SMTP servers were reported as “invalid” and “not trusted” within seconds of each other, so I strongly suspect that those criteria are bogus. One server was internal and hosted on my LAN. A second was external and hosted by a fairly small, but reputable, email service provider. The third was hosted by Time Warner Cable (“RoadRunner”), a widely-recognized major ISP. Even if the LAN server certificate was questionable, the other two could not be. I believe that all of the certificates were in fact valid.
For Thunderbird clients, these messages always caused a Windows Program Error, and in one case, a C5 crash error.
I emphasize that this problem occurred only for SOME, not all, workstations that were updated to EndPoint version 8.x. Also, the problem did not always occur on first use of an email client after the EndPoint update. And finally, pressing the button to record the exclusion worked permanently on some workstations but not others. When it did not work, the Avast! “Mail Shield Security Exclusion” window would reappear when a user tried to download or send email using one or more of the three possible POP/SMTP servers, as soon as on the next attempt, or as late as 2-3 days later, after several successful attempts.
There is no consistency in terms of which OS or email clients were used. The problem was seen on workstations with either of the OSes listed, and any of the email clients listed, when connecting to any of the three POP/SMTP servers. There are many other identically-configured machines on which the problem never occurred during a 15-day period while Version 8.x EndPoint clients became available and before I turned off automatic program updates on the console.
This problem seriously disrupted access to email in my organization. I have 93 EndPoint clients installed for staff, and most of them use email many times a day as a critical job function. The problem occurred on 24 of these workstations (26%). I had to visit several of them more than once to address the problem, and the only reliable solution for some of them was to uninstall the 8.x EndPoint client and reinstall the 7.x EndPoint.
EXPECTED BEHAVIOR: All email clients that functioned properly with EndPoint version 7.x should function properly with EndPoint version 8.x. That is, when those clients are not configured to use SSL/TLS, Avast! should not display messages regarding email server SSL certificates at all. IF an email client, such as Thunderbird, IS configured to use SSL/TLS, and IF the server’s certificate is genuinely invalid, then displaying a message about it should not cause an error in the email client.
ADDITIONAL REPORTS:
-
I have seen one other report on the Avast Forum that seems to describe the same problem: see “SMTP Emails remain in queue after update to Avast 8” (http://forum.avast.com/index.php?topic=129733.0). This person reported seeing a message about an invalid SSL certificate when a POP/SMTP email client tried to connect to an Exchange server.
-
During testing I installed SOA version 1.2.2.28 on two different machines. Part of the installation involves setting up an email account that the SOA will use to send notifications. In both cases the SOA was installed on Windows 7 Ultimate, though one was a 32 bit OS and the other was 64 bit. For both I used our internal email server, hosted on our LAN, for the account. During one of these installations, the Avast! “Mail Shield Security Exclusion” window appeared as soon as I entered the server address. During the other installation, it never appeared, even when I sent a test email.
See part 2 for more information.