Mail scanner issue on OE and XP

Avast intercepted a mail message downloading to my Outlook Express and gave the alert that the email contained a “suspicious” subject line. I knew that the message was from a trusted sender, and because it was only the subject line and not an attachment, I wanted to allow the message through. I kept ticking the “allow” box, but Avast kept repeating the alert. Finally I had to tick “delete” to be able to continue.

I then wanted to find the message in a quarantine folder or somewhere, but could not. Does Avast quarantine messages like this somewhere? I could not even find a log of this event in Avast. Also is there someway around the Avast alert if you want to allow a message after being warned?

Thanks!

If you selected delete, then no it won’t save it anywhere, sending to the chest would be the only option, however, recovering/restoring it from the chest may not work.

Did you check the avast Log Viewer, warning section (right click the avast icon) ?

What surprises me is the multiple alerts if there was only one email I would have thought it would only alert once. I tested this by having the eicar virus emailed to me and the alert fired, I clicked No Action and the email was delivered to my inbox as expected, no multiple alerts.

So what type of scan detected the suspicious email, on-access (receipt of email) or on-demand scan ?

It was an on access, automatic scan of email that detected it. It did not actually detect a virus, it said that the Subject of the email was “Suspicious”. (Something about heuristics). My only choices offered at that point were “delete” or “allow”, no option to put it into a “chest”. I chose allow several times and the alert would just repeat each time. I finally had to chose “delete” to continue.

Did you check the ‘Silent mode’?

After deleting it… now way to get it back…

OK so you got this screen (see image, but I haven’t been able to replicate a screen that says allow or that will keep alerting), I did a white space test with an attachment, this too uses heuristics and the options are Delete, Continue or Block it! I used continue and I was able to ignore the warning and receive the email in my inbox.

With your Internet Mail on High will also Heuristics will be on High so the subject will be checked, lowering that to Medium should remove this heuristics check. However, that removers other heuristic checks so it would be better to identify exactly why the Subject is being detected as suspicious and have your friend change it.
Was the Subject blank or what was in the subject line ?

Yes, sorry, it said “continue”, not “allow”. When I clicked the continue button it just was an endless loop of the alert, continue, alert, continue, alert, etc…

I was never allowed to see the subject of the message, so I don’t know what it said.

The snippet that was passed through to my inbox was just this:


Suspicious subject of message

Sender: "Jeff " <jk@.*
recipient: “tee***” <stin1

  • added to hide email addresses.

I don’t see a resident settings page in my version that looks like that. Can’t find an option for “silent” mode. That may be because I just can’t find it or maybe because I just switched to Avast and am using the free version. Maybe some additional options are available in Pro.

That really is weird, on my tests I only got one alert and continue allowed the complete email to be received.

--------------------------------------------- Suspicious subject of message
This would seem to be a blank subject line as I would have expected to see something after the 'Suspicious subject of message'. But, what is strange is that I can send and receive email with blank subject lines and no alert by avast. My Internet Mail Sensitivity and Heuristic settings are as the above image. What are your settings ?

You could ask him to re-send the email (or ask what the subject line contained) and see if you can glean any more information.

You might not see an exact match as that is two windows, click the avast icon to get the On-Access Scanner window, if you don’t see the Installed providers (as in the image) click the button Details. Select Internet Mail, click the Customize button for other Resident task settings.

No. There aren’t these differences.
In Home version, after clicking the ‘Details’ buttom on providers setup, Custom level buttom should let you see that.

Ok, I found those settings thanks to all your help. There are many levels of Avast I am not familiar with yet.

To answer some previous questions now that I can find most of the settings… sensitivity is “normal”. Heuristics is medium. Silent mode is not checked.

I did reply to the sender asking him to resend. He has not as of yet. If he does, I will check it on the mail server before trying to download it. Then I can see the exact subject line. I will also send myself a blank subject email to see if I can duplicate the alert.

update on edit: He replied to me and indeed the original message had a blank subject. However, I have received emails without subjects just fine recently. I tested just now sending myself a couple without subjects from different accounts and they came down into OE just fine.

So it probably was just a fluke. I won’t worry about it unless it happens again. What was most concerning was the way I could not “continue” and get the message anyway. Along those lines, I have another question. It seems like it would be nice if mail messages that Avast warns about could be quarantined and inspected before deleting. I don’t see a setting to do this for OE like there appears to be in the Avast settings for Outlook/Exchange?

To answer some previous questions now that I can find most of the settings.... sensitivity is "normal". Heuristics is medium. Silent mode is not checked.

With those settings, this makes it even more strange and as you also say you have received emails with blank emals without problem before.

To inspect and email you would need some form of email client/reader (text or otherwise) that could work in the chest and the whole idea of the chest is that it is a protected area, which prevents access and activation of a potentially infected or infected file/email. That would mean avast having to do that because it is the only program which can work in the chest area.

Now would be a god time to browse the avast help file to get an idea of what things are about, because if and when that alarm goes, reasoning also seems to depart ;D
You might also want to browse the forums, especially the sticky topics at the top of each of the forums. They provide a wealth of information to help you get the best from avast.

Welcome to the forums.

The attachments could be quarentined. The message body (as far I remember) can’t.
The Internet Mail provider does not support the ‘quarentine’ option offered by the Outlook plugin.