Avast just found a worm in an email (good) but it has removed the whole folder that contained the email to the chest (bad). I need some of the other emails in that folder and anyway I don’t know which particular email was the baddie. Any ideas on how to restore the folder without releasing the worm? Thanks!
Which is your email program?
I never saw avast sending folders to Chest, just files.
Can you extract the file (email box) from Chest to a safe place?
I did, but that was long time ago with some 4.x versions.
So, maybe we should also ask: Which version of avast do you use…??
asyn
@ jenpen
Email folders are somewhat different to regular windows folders, most email clients contain emails in a database ‘file’ this contains multiple emails but is essentially a single file.
I suspect that this detection was on an on-demand scan ?
If so which type of scan, Quick, Full Scan, Folder Select, etc.
So first what action was taken, Send to chest should mean that the database file is in the chest ?
If you chose delete then it is gone and you will have to resort to your backups to restore that file, you do backup your system.
What is your email client/program ?
Thanks guys. I use Thunderbird and Avast version 4.8, and yes, it was during an on-demand scan, a Full Scan - the worm was in an email already filed away, so it seems that Avast missed it on the way in.
The file is in the chest.
Tech, what do you mean by “a safe place”?
Well I thought that thunderbird stored emails in individual .eml files not in database files, so an email folder shouldn’t have gone walk about if this was a detection on a .eml file ?
What was the file name and location of the original detection ?
However, if the file is in the chest (you can get that above information) depending on the above answer it may be able to be restored to the original location.
No, Thunderbird uses database files.
Best soultion would be to restore the file from chest and delete (also delete trash afterwards) the corresponding mails in TB.
asyn
Well restoring from the chest could present its own problems as depending on whatever folder it was ‘inbox,’ etc. then thunderbird could have replaced that database file. restoring from the chest just to delete and empty the trash seems a waste of time if you don’t recover the good emails.
So it may be necessary to close Thunderbird rename (safest, can always be renamed again) or remove the database file before restoring the one in the chest. Then manually find the email avast detected in that folder and delete only that one, emptying the trash and compacting all folders.
ad 1. That’s exactly what i meant - deleting the bad, restoring the good.
ad 2. Sounds good! Renaming before should be the safest way.
asyn
I use Pegasus Mail instead of Thunderbird, but it also stores messages in individual files(folders). I’ve excluded the entire Windows directory that contains the mail stores in File System Shield and scans. I also have Mail Shield disabled.
The safer bet is to exclude the database file type inside that folder to try and cut the size of any hole in security by excluding the complete folder.
I don’t keep my OE database files in the default location I have moved them to E:\Data\OE-files in the OE settings (I don’t know if that can be done in thunderbird or Pegasus Mail) and the exclusion for that in relation to OE files would be E:\Data\OE-files*.dbx
One thing however, we don’t know a lot about the OP’s scan type, and if all archives were selected (I suspect Thorough and with Archives selected) ?
A lower level sensitivity/archive selection (Standard scan without archives) may not scan the email database files.
How?
- Windows Explorer?
- avast deletion?
The entire PMail/Mail directory is excluded from File System scanning. Also it is excluded from all manual scanning except for one custom scan I’ve added. The only files in that directory hierarchy are data files containing the mail stores.
Wow, you guys have been so busy while I’ve been asleep
The file in the chest is:
\Thunderbird\Profiles\dmx3zn3f.default\Mail\Local folders\Client folders.sbd
The folder that has disappeared is a subfolder within . The main folder and all the rest of its contents are still there.
I can probably work out which email it was as it’s a folder I don’t use very often and it must have been the last one I added. If I restore the database file from the chest then just delete that email and empty the trash, that would be safe, no? Then run another scan?
That should be OK (but I can’t say it isn’t without risk and I don’t use thunderbird), if Thunderbird hasn’t recreated that folder Client folders.sbd so you would need to rename that (outside of thunderbird, something like Client foldersNew.sbd) before restoring the one from the chest.
I’ve restored the folder a couple of times and each time deleted any recent or suspicious emails but each time the scan has found the worm again. Maybe it’s not “in” an email. So I’m going to restore it one more time, copy any important emails into a new folder, then scan again and leave it in the chest. It’s a bit annoying, almost enough to turn me off Thunderbird actually.
Thanks everyone for the input.
I’ve restored the folder a couple of times and each time deleted any recent or suspicious emails but each time the scan has found the worm again. Maybe it’s not “in” an email. So I’m going to restore it one more time, copy any important emails into a new folder, then scan again and leave it in the chest. It’s a bit annoying, almost enough to turn me off Thunderbird actually.
Thanks everyone for the input.
Hope you can restore at least the important mails.
If the worm is in a mail, it would be most likely a mail with attachment.
Good luck…!
asyn
I’ve restored the folder a couple of times and each time deleted any recent or suspicious emails but each time the scan has found the worm again. Maybe it’s not “in” an email. So I’m going to restore it one more time, copy any important emails into a new folder, then scan again and leave it in the chest. It’s a bit annoying, almost enough to turn me off Thunderbird actually.
Thanks everyone for the input.
I’m not familiar with Thunderbird, but is there a way to ‘compress’ a folder? When I delete a message in Pegasus Mail, the actual message is still there(all that is deleted is the pointer to the message) when the folder is closed. If the total deleted messages exceed a threshold(default is 24kb), then the folder is compacted(the ‘deleted’ messages are removed from the file(folder). Until this happens, the antivirus will still find the same strings that it was alerting on.
In TB deleted mails are moved to the trash folder.
That’s why DavidR and i stated to also empty the trash in TB after deleting the suspect mails.
I set TB to always delete the trash on shutdown.
asyn
Pegasus Mail also has a Deleted Messages folder that receives the deleted messages. However, until the original folder that contained the deleted message is compacted, the text is still there and can be found. One can open the folder file in a text editor and see it. An antivirus can also find it.
Perhaps the text of the deleted message is still in the Thunderbird folder until compaction of the folder. That’s why it’s still being found.