Pseudo Double Scanning?

Hi there!

I’ve been using Avast 4 Home for a few days now, and I’m very happy with it! Despite being very light on the system, it’s incredibly effective!

I just have a technical curiosity about this…

I’ve set the Mail Scanner this way in my Windows 98 SE system (as instructed by Seand):

Flow:
Outlook Express → 127.0.0.1 (port 8110) Avast → 127.0.0.1 (port 110) Spamihilator → pop server (mail.myisp.com – port 110)

Settings in Avast4.ini
[MailScanner]
IgnoreProcess=Spamihilator.exe
Log=20
SmtpListen=127.0.0.1:25
PopListen=127.0.0.1:8110
ImapListen=127.0.0.1:1026
NntpListen=127.0.0.1:119
Trust=127.0.0.1
UseDefaultSmtp=0
DefaultPopServer=127.0.0.1:110
DefaultSmtpServer=127.0.0.1:25
ShowTrayIcon=1
AutoSetProtection=0
PopRedirectPort=110
SmtpRedirectPort=25
ImapRedirectPort=143
NntpRedirectPort=119
IgnoreAddress=
IgnoreLocalhost=1
AutoRedirect=1

This way the mail scanner is the last one in the chain, only scanning messages that have been “released” by Spamihilator as good, non-spam ones. This saves plenty of resources and time!

My curiosity is about the following: when an e-mail is scanned by Spamihilator and considered to be spam, the scanner doesn’t get it, and thus the “scanned files counter” in its menu just stands still. So far, so good…

When an e-mail is released as “good” by Spamihilator and sent to Outlook, the “scanned files counter” is incremented by 2!!!

You could think that a “double-scanning” is happening, but it’s not! One quick look at the e-mail headers shows that there’s only one ”avast! (VPS XXXX-X, YY.YY.YYYY), Inbound message X-Antivirus-Status: Clean!”.

If there’s only one “avast! (VPS XXXX-X, YY.YY.YYYY), Inbound message X-Antivirus-Status: Clean!”, it means that the e-mail got scanned only once… So why does the counter shows that it’s being scanned twice?

Here’s the log to make it even stranger:

06/17/05 12:18:26 FFEC5CC5: ->POP TOP 1 0
06/17/05 12:18:26 FFEC5CC5: sent 9(0x00000009)
06/17/05 12:18:26 FFEC5CC5: --POP: Getting file
06/17/05 12:18:26 FFEC5CC5: received 1393(0x00000571)
06/17/05 12:18:26 FFEC5CC5: received 3(0x00000003)
06/17/05 12:18:26 FFEC5CC5: --POP: File got
06/17/05 12:18:26 FFEC5CC5: Timeout handler: 0xFFEC4295
06/17/05 12:18:26 FFEC5CC5: ProcessFile entrance C:\WINDOWS\TEMP_avast4_\unp247168631
06/17/05 12:18:26 FFEC5CC5: ProcessFile 2 e-mail ‘’ De: “Nereide Machado Vallido” nereide@fulltrading.com.br, Para: malavasi@malavasi.com.br
06/17/05 12:18:26 FFEC5CC5: ProcessFile scanDlg before e-mail ‘’ De: “Nereide Machado Vallido” nereide@fulltrading.com.br, Para: malavasi@malavasi.com.br
06/17/05 12:18:26 FFEC5CC5: ProcessFile scanDlg after e-mail ‘’ De: “Nereide Machado Vallido” nereide@fulltrading.com.br, Para: malavasi@malavasi.com.br
06/17/05 12:18:26 FFEC5CC5: ProcessFile exit 1(0x00000001)
06/17/05 12:18:26 FFEC5CC5: --POP Mail is clean
06/17/05 12:18:26 FFEC5CC5: --POP Modified message to send: C:\WINDOWS\TEMP_avast4_\unp247168631
06/17/05 12:18:27 FFEC5CC5: sent 1486(0x000005CE)
06/17/05 12:18:27 FFEC5CC5: --POP AavmReleaseScanResult
06/17/05 12:18:27 FFEC5CC5: --POP AavmReleaseScanResult OK
06/17/05 12:18:27 FFEC5CC5: Delete Files
06/17/05 12:18:27 FFEC5CC5: Delete Files OK
06/17/05 12:18:28 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: ->POP RETR 1
06/17/05 12:18:28 FFEC5CC5: sent 8(0x00000008)
06/17/05 12:18:28 FFEC5CC5: --POP: Getting file
06/17/05 12:18:28 FFEC5CC5: received 8192(0x00002000)
06/17/05 12:18:28 FFEC5CC5: received 8186(0x00001FFA)
06/17/05 12:18:28 FFEC5CC5: received 8186(0x00001FFA)
06/17/05 12:18:28 FFEC5CC5: received 8186(0x00001FFA)
06/17/05 12:18:28 FFEC5CC5: received 8186(0x00001FFA)
06/17/05 12:18:28 FFEC5CC5: received 8186(0x00001FFA)
06/17/05 12:18:28 FFEC5CC5: received 8186(0x00001FFA)
06/17/05 12:18:28 FFEC5CC5: received 6110(0x000017DE)
06/17/05 12:18:28 FFEC5CC5: --POP: File got
06/17/05 12:18:28 FFEC5CC5: Timeout handler: 0xFFE9D431
06/17/05 12:18:28 FFEC5CC5: ProcessFile entrance C:\WINDOWS\TEMP_avast4_\unp240279598
06/17/05 12:18:28 FFEC5CC5: ProcessFile 2 e-mail ‘’ De: “Nereide Machado Vallido” nereide@fulltrading.com.br, Para: malavasi@malavasi.com.br
06/17/05 12:18:28 FFEC5CC5: ProcessFile scanDlg before e-mail ‘’ De: “Nereide Machado Vallido” nereide@fulltrading.com.br, Para: malavasi@malavasi.com.br
06/17/05 12:18:28 FFEC5CC5: ProcessFile scanDlg after e-mail ‘’ De: “Nereide Machado Vallido” nereide@fulltrading.com.br, Para: malavasi@malavasi.com.br
06/17/05 12:18:28 FFEC5CC5: ProcessFile exit 1(0x00000001)
06/17/05 12:18:28 FFEC5CC5: --POP Mail is clean
06/17/05 12:18:28 FFEC5CC5: --POP Modified message to send: C:\WINDOWS\TEMP_avast4_\unp240279598
06/17/05 12:18:29 FFEC5CC5: sent 8192(0x00002000)
06/17/05 12:18:29 FFEC5CC5: sent 8192(0x00002000)
06/17/05 12:18:29 FFEC5CC5: sent 8192(0x00002000)
06/17/05 12:18:29 FFEC5CC5: sent 8192(0x00002000)
06/17/05 12:18:29 FFEC5CC5: sent 8192(0x00002000)
06/17/05 12:18:29 FFEC5CC5: sent 8192(0x00002000)
06/17/05 12:18:29 FFEC5CC5: sent 8192(0x00002000)
06/17/05 12:18:29 FFEC5CC5: sent 6164(0x00001814)
06/17/05 12:18:29 FFEC5CC5: --POP AavmReleaseScanResult
06/17/05 12:18:29 FFEC5CC5: --POP AavmReleaseScanResult OK
06/17/05 12:18:29 FFEC5CC5: Delete Files
06/17/05 12:18:29 FFEC5CC5: Delete Files OK
06/17/05 12:18:29 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:29 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:29 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:29 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:29 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:29 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:29 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:29 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:29 FFEC5CC5: ->POP DELE 1
06/17/05 12:18:29 FFEC5CC5: sent 8(0x00000008)
06/17/05 12:18:29 FFEC5CC5: --POP Before ReadFromPop
06/17/05 12:18:29 FFEC5CC5: received 21(0x00000015)
06/17/05 12:18:29 FFEC5CC5: --POP ReadFromPop …
06/17/05 12:18:29 FFEC5CC5: <-POP +OK Message deleted
06/17/05 12:18:29 FFEC5CC5: sent 21(0x00000015)
06/17/05 12:18:30 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:30 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:30 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:30 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:30 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:30 FFEC5CC5: received 1(0x00000001)
06/17/05 12:18:30 FFEC5CC5: ->POP QUIT
06/17/05 12:18:30 FFEC5CC5: sent 6(0x00000006)
06/17/05 12:18:30 FFEC5CC5: --POP Before ReadFromPop
06/17/05 12:18:30 FFEC5CC5: received 22(0x00000016)
06/17/05 12:18:30 FFEC5CC5: --POP ReadFromPop …
06/17/05 12:18:30 FFEC5CC5: <-POP +OK Everything done.
06/17/05 12:18:30 FFEC5CC5: sent 22(0x00000016)
06/17/05 12:18:30 FFEC5CC5: received 0(0x00000000)
06/17/05 12:18:30 FFEC5CC5: --POP Finishing connection handler

You can see that the e-mail got processed, and then it’s processed all over again (starting on line 06/17/05 12:18:28 FFEC5CC5: ->POP RETR 1)!!!

And it happens all the time!

Any ideas?

By the way, sending messages works perfectly (they are scanned only once and the “scanned files counter” is incremented accordingly) :wink:

Regards

Leonardo

The mail client downloaded first the headers and then the whole mail, and avast scanned both.

Vojtech, is this due to the email program or because the Spamihilator download the headers first?
Using the IgnoreProcess value into avast4.ini file, won’t we avoid double scanning?

I use the IgnoreProcess for mailwasher.exe to stop the mail scanner scanning the email info it downloads (also viewed in plain text) to be able identify it is spam or not. This is only the first 103 lines (my settings) so I feel there is a very limited risk in not having ashMaiSv scan mailwasher activity.

However, I do use mailwasher differently, independently of the email program. I fire it up first, it connects, selects/filters, etc. and once it has done its work deleting spam/suspicious email from the server it calls my email program to download the remainder of my email from the servers. Only this is scanned by avast.

But it looks like ‘leomalav’ fires up his email program and this integrates with Spami, and the mail server so it will be scanned into Spami and then again on those that are passed on to Outlook, so unless IgnoreProcess is used it will scan for both programs using the pop3 protocol.
I don’t know if Spami can be used in the same way as mailwasher (independently) or how much Spami downloads to be able to decide if the email is spam. If it has to download the whole email then it should have avast scan it.

Hi Tech

I guess Outlook Express (and not Spami) is asking for the headers and then the whole messages… Obviusly the good, non-spam ones!

When Spami considers a message to be spam, it doesn’t get scanned at all (the “scanned files” counter stands still, and the log doesn’t show any activity on this message).

Security-wise, is there a problem letting Spami do all its filtering work first, and then Avast takes over, scanning only the non-spam messages?

Thanks

Leonardo

Good, so the IgnoreProcess value is working.

As far I know, not. Only if you’re paranoid you’ll feel that lines could be dangerous being read as text.
If you have a DSL connection and a good computer, you could let Spami be scanned and won’t have such delays or trouble with it. The double scanning won’t harm that much.

This is Windows 98, the mail scanner scans only traffic that is explicitly routed to it. IgnoreProcess does not work here. In this configuration, the mail scanner scan only OE’s downloads.

I don’t think there is any security risk.